Steemit's Security Values & How Steem Keychain Can Help

in #steemit6 years ago

Steemit's Security Values & How Steem Keychain Can Help

There have been a whole bunch of updates made to the Steem Keychain browser extension since it's initial launch three months ago, and I sincerely apologize for not having posted about them in all this time.

Most of you have hopefully already seen the updates in the extension anyway, so please show your appreciation to @stoodkev who is the primary developer responsible for it.

In any case, I promise I will post about all of the new and upcoming features soon, but first I wanted to talk about something in SteemIt, Inc's recently published Mission, Vision, and Values statement which you can read here: https://steemit.com/about.html

Under the "Security" section, which is one of the Values, it says the following (emphasis mine):

This principle has led us to preferred use of client-side signing for cryptocurrency use on steemit.com, which means all transactions are pushed by the user while Steemit, Inc. never has access to, nor sees the user’s private keys

This statement immediately jumped out at me because it is technically not true. Steemit.com, Steem Connect, and many other steem-based sites require you to enter your private key into a text field on the website to log in and use the site. This means that the site operator does have access to your private key. We just have to trust that they do not access it, and we have to trust that the servers hosting the website have not been compromised.

This is the exact reason that the Steem Keychain browser extension was created. It allows websites to request that the extension sign and broadcast transactions for them, so that the user never has to enter their private keys into the site directly. This means that even with a malicious site operator, or a compromised server, your keys are safe.

@eonwarped has generously donated his time to integrate the Steem Keychain extension into the condenser code that runs steemit.com and has submitted a pull request to merge that code into the main condenser code repository so that it can be put live on steemit.com. You can try out a version of condenser with Steem Keychain integration right now at https://cryptoempirebot.com which @eonwarped is hosting.

Many people that I speak to about the Steem platform, who are more familiar with using apps on other blockchain platforms such as Ethereum, balk at the concept of having to put your private key into a website, and cannot believe that's the way things are done here. It's great that we can now tell them that they can use the Steem Keychain extension instead, which alleviates their concerns, but unfortunately it is still not integrated into many Steem-based sites, including, and most importantly, steemit.com.

If Steemit, Inc really does value security, I would strongly urge them to work with us to get the pull request merged and add Steem Keychain support to steemit.com. If the community also agrees, @aggroed and I would appreciate your support by voicing your opinion to try to make this happen.

In the meantime, I would encourage all of you to check out https://steeve.app which is a fantastic front-end for the Steem blockchain and also includes full Steem Keychain support.

For those of you not familiar with the Steem Keychain extension, you can read about it in our introductory post, and download it for the Google Chrome or Brave web browsers here (Firefox and Opera support coming soon).


View this post on Steeve, an AI-powered Steem interface

Sort:  

Why you always sleep not post

Magic Dice has rewarded your post with a 66% upvote. Thanks for playing Magic Dice.

I thought that Steemit.com don't store keys and it's client side app.

I have few questions:

  1. How are my keys stored in keycahin?
  2. It's been 3 months and no Firefox support yet? When do you plan to do it?

Posted using Partiko Android

It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.

Thank you for explanation :)

I thought that Steemit.com don't store keys and it's client side app.

That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.

To answer your questions:

  1. How are my keys stored in keycahin?

Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.

  1. It's been 3 months and no Firefox support yet? When do you plan to do it?

Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!

Posted using Steeve, an AI-powered Steem interface

Yes, you're right, but here's why Keychain is still a better solution (IMO):

  1. It's MUCH easier to install and run the Keychain extension locally than it is to do the same for Condenser; and
  2. If you use the Keychain extension then you can securely use your keys on ANY Steem-based website that supports Keychain (which will hopefully be almost all of them in the near future) whereas you can't realistically install and run every Steem-based website you want to use locally.
  3. It avoids copy/paste errors. I know I've forgotten that I had a private key copied to my clipboard from logging into a Steem-based site and accidentally pasted it somewhere it wasn't supposed to go. Luckily I never published it or anything, but I know people who have and who lost funds because of it.

Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.

Is there a way to verify that the code that I install from the Chrome Web Store is the same as on GitHub?

When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.

Thank you for your conversation.

Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man

hey man, in the words of @walden ,lets go, lets go mother fucker, huh?

U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET

hah cant u imagine walden sayin that?

Thanks for all the work @yabapmatt!!

Thank you :)

If I will have any time, maybe I will take a look into code to see if I can help.

I'm fairly certain you can use Chrome extensions on Firefox. Not positive if this one will work or not.

I tried, didn't work for me.

Dang, that sucks. I just bit the bullet and started using Chrome lol

I ll optimize the extension for Firefox in the near future.

shouldnt you be using golos? :P dasvidonyetsk

Looking forward to see it live in condenser! Awesome job @eonwarped!
For Firefox users, optimizing the extension for your browser will be on my plate in the near future.
For Opera users, you can already use it but you ll need to install "Install Chrome extensions" on the Opera store first.

ǝɹǝɥ sɐʍ ɹoʇɐɹnƆ pɐW ǝɥ┴

Bahahaha

thanks for great info

Adding keychain to my browser is still on my "to-do" list, so I couldn't add any meaningful comment to this post. I got as far as downloading the chrome browser weeks back, transferring my bookmark favorites over, and "saved" the rest for another day. Another day turned into another day and another day..but it is definitely on my list!

On a side note, Mello mentioned the meetup a couple weeks back and I saw part of it on the youtube video. I was there in spirit! He shared some exciting news. We will definitely look into the opportunity. I hope all is well with you!

I´ve tried to use the browser extension with steeve.app but I am getting problems. Is that an issue with steeve or the extension?

Bildschirmfoto 2019-01-21 um 18.04.31.png

It looks like you just need to add the private memo key to keychain for your account. If you open up the extension and go into settings -> Manage Accounts you should be able to enter the key there.

Posted using Steeve, an AI-powered Steem interface

That's actually something I was wondering about - wouldn't it be simpler to authenticate via posting-key? Most people add at least their posting-key and just a few, who know what the memo key is, are adding that one as well, IMO.

Yea that's a good point. I'll reach out to the steeve team about that.

The condenser uses posting key to sign a challenge message to the server so likely this can change the mechanism too. That's something the keychain can do now.

Platform problems with the Steve App? Pepperidge Farm remembers... Try a lil Kerosine oil.

Keychain is not only the most secure App to access other Steem related sites. It also functions as a great Web Wallet as well. You can send / receive Steem to anyone or just claim your rewards and manage delegations.
I hope steemit.inc sees the great user potential here and will integrate Keychain soon!

This story was recommended by Steeve to its users and upvoted by one or more of them.

Check @steeveapp to learn more about Steeve, an AI-powered Steem interface.

Does keychain support escrow transactions?

Posted using Partiko Android