Hi,
This is wrong:
"Everything could be done without your active key. Giving them your active key means they can transfer your steem."
You necessarily need the active key to change authorities (add or remove) of an account. This is at blockchain level and there is no other way to change account authorities. And there is no other way to use a service like steemauto except giving your posting key directly to an app, which is not recommended. Of course you can use any other method to authorize an app "with your active key" without using steemlogin. You can do that with any steem library or Keychain if you are not feeling secure with steemlogin.
As @futureshock and so steemlogin, we take seriously security issues with steem users accounts. When you use steemlogin we can potentially access to your keys that's right and that was always an issue with steemconnect but we never do/did this, we don't store any keys more than needed and will never do it. Remember also this, when you use steemlogin on any app, this app doesn't see your keys but only receive an oauth token.
FYI we are not related to steemauto or any other team. We are offering this service for free and only to make things easier for dapps developers. We are publicly known people (you can even find our address on the web) and would never dare to hurt/rob anyone, in our eyes respect and trust are much more important than money.
There is no active posting key. It can be rather private posting key or private active key. And yes both have different uses.
Voting/posting use private posting key, and other things like transfer or changing account autorithy require private active key. There are also other keys like the private memo key which permit to decode memo encoded with your public memo key etc.. .
In this case, you are not willing to give any key but just give the authority for an app to post for you. The other possibilities would be:
the app ask your posting key and store it (this is less secure then steemlogin which has been tested for nearly 4 years now)
the app ask your posting key with steemlogin and store the received token and can reuse it. The issue with this solution is the following one, steemlogin tokens have an expiration time like all web tokens, so after a week this particular token become unusable and you would need to login again to the app to obtain a new token... Which removes all interest in using a service like steemauto.
So in order to do that you are using your private active key to give posting authority to the app. Which means this app can post/vote for you whenever he need/want and that until you revoke the posting authority, again using your private active key.
Well I'm sorry for you but I guess you just fell in with the wrong crowd as we all already did at least once.
Hopefully other witnesses will come to confirm all what I said there.
FYI we are not related to steemauto or any other team. We are offering this service for free and only to make things easier for dapps developers. We are publicly known people (you can even find our address on the web) and would never dare to hurt/rob anyone, in our eyes respect and trust are much more important than money.
However ... correct me if I'm wrong, but it seem that original steemauto never required active key. And this is main reason why some users are hestitant and seriously worried to use "steem login" and new steemauto.
How could they (original steemauto) achieve it? Any idea?
I had a pleasure to talk to steem-supporter few times (even in real life) and my impression is, that this is very hard-working developer with solid skills and very honest.
I hardly doubt that he is block.token/Aceh.point.
At the same time this re-created steemauto is using "steem login" to sign in. And this steem-login has as little to do with steemauto as steemconnect had to do with this tool in the past.
That's just to clarify, that Steem-supporter isn't in my opinion having any bad intentions. However, at the same time I'm not sure who is behind "steem login" and it also worries me that it require active key.
Authorization of an app to do transactions requires active key. No keys are transmitted to internet, steemconnect storage them in your computer system, steemlogin don't storage nothing so it asks for keys every time.
WE as the application steemautp.app needs to upvote , post and claim rewards on your behalf. so we need you to give us your posting authority that allows us to do all those operation , but in the blockchain level if you want to authorize any app or revoke authorization the app you need to sign a transaction which requires your active key . This does not means that we have your private key access . We have your posting authority on the blockchain level that is provided to us by steemlogin which is a frontend that makes it easier fo us and you to sing any type of transaction on the chain .
Steemlogin will no way save your keys nor we will
Yes it did, you need to authorize the application, this requires active key! The key was managed by steemconnect (which storage posting and active keys in your computer and you can manage by your own set password), now is managed by steemlogin (No storage any key). Posting key is to cast the votes. As authorization is one time, you weren't asked again for it, but posting was to log in every time needed.
You can also add or remove authorities of your account from SteemWorld with the tool Steem Auths.
Hi,
This is wrong:
"Everything could be done without your active key. Giving them your active key means they can transfer your steem."
You necessarily need the active key to change authorities (add or remove) of an account. This is at blockchain level and there is no other way to change account authorities. And there is no other way to use a service like steemauto except giving your posting key directly to an app, which is not recommended. Of course you can use any other method to authorize an app "with your active key" without using steemlogin. You can do that with any steem library or Keychain if you are not feeling secure with steemlogin.
As @futureshock and so steemlogin, we take seriously security issues with steem users accounts. When you use steemlogin we can potentially access to your keys that's right and that was always an issue with steemconnect but we never do/did this, we don't store any keys more than needed and will never do it. Remember also this, when you use steemlogin on any app, this app doesn't see your keys but only receive an oauth token.
FYI we are not related to steemauto or any other team. We are offering this service for free and only to make things easier for dapps developers. We are publicly known people (you can even find our address on the web) and would never dare to hurt/rob anyone, in our eyes respect and trust are much more important than money.
Best regards,
Hightouch
There is no active posting key. It can be rather private posting key or private active key. And yes both have different uses.
Voting/posting use private posting key, and other things like transfer or changing account autorithy require private active key. There are also other keys like the private memo key which permit to decode memo encoded with your public memo key etc.. .
In this case, you are not willing to give any key but just give the authority for an app to post for you. The other possibilities would be:
So in order to do that you are using your private active key to give posting authority to the app. Which means this app can post/vote for you whenever he need/want and that until you revoke the posting authority, again using your private active key.
Well I'm sorry for you but I guess you just fell in with the wrong crowd as we all already did at least once.
Hopefully other witnesses will come to confirm all what I said there.
Best regards,
hightouch
It's me again...
can you share your website address?
Thank you for this comment @futureshock
However ... correct me if I'm wrong, but it seem that original steemauto never required active key. And this is main reason why some users are hestitant and seriously worried to use "steem login" and new steemauto.
How could they (original steemauto) achieve it? Any idea?
Yours, Piotr
Dear @btcmillennial
I had a pleasure to talk to steem-supporter few times (even in real life) and my impression is, that this is very hard-working developer with solid skills and very honest.
I hardly doubt that he is block.token/Aceh.point.
At the same time this re-created steemauto is using "steem login" to sign in. And this steem-login has as little to do with steemauto as steemconnect had to do with this tool in the past.
That's just to clarify, that Steem-supporter isn't in my opinion having any bad intentions. However, at the same time I'm not sure who is behind "steem login" and it also worries me that it require active key.
Yours, Piotr
I think Futureshock relaunched steemlogin!
Authorization of an app to do transactions requires active key. No keys are transmitted to internet, steemconnect storage them in your computer system, steemlogin don't storage nothing so it asks for keys every time.
oh i completely missed this,
Let me explain you
WE as the application steemautp.app needs to upvote , post and claim rewards on your behalf. so we need you to give us your posting authority that allows us to do all those operation , but in the blockchain level if you want to authorize any app or revoke authorization the app you need to sign a transaction which requires your active key . This does not means that we have your private key access . We have your posting authority on the blockchain level that is provided to us by steemlogin which is a frontend that makes it easier fo us and you to sing any type of transaction on the chain .
Steemlogin will no way save your keys nor we will
and yes i am not #block.token or @aceh.point
thanks @futureshock for your wonderfull reply
i just requested posting scope , so basically its the signer who asks for you active key . but i dont think you would want to get explained .
You need the active key to authorize the application, and the posting for the app to vote on your behalf.
hi @leveuf
I wonder if previous steemauto also required active key to authorize the app?
Some people say that it didnt.
Yes it did, you need to authorize the application, this requires active key! The key was managed by steemconnect (which storage posting and active keys in your computer and you can manage by your own set password), now is managed by steemlogin (No storage any key). Posting key is to cast the votes. As authorization is one time, you weren't asked again for it, but posting was to log in every time needed.
You can also add or remove authorities of your account from SteemWorld with the tool Steem Auths.
Maybe it's a bug on the platform. I logged in using the private active key and succeeded.
Thank you.
You're welcome.