You are viewing a single comment's thread from:
RE: Keychain Added to Steemit.com!
This sounds potentially useful for me.
Questions...
- In what ways is Keychain safer than simply saving private keys in our browser the normal way?
- Who will potentially have access to our data saved within Keychain?
These are very important questions.
While saving keys in the browser isn't really an issue, putting them into websites is. When you put a key into a website (or any data really) you're giving it to them and you have to trust that they don't misuse that data, either on purpose or accidentally, AND that the site doesn't get hacked. Many people have said that it doesn't matter if steemit.com gets hacked since the keys are only used on the client side, but that's not true. A hacker could modify the website code to steal the keys entered on the client side.
If you use keychain, then steemit.com or any other site never gets access to your keys. Instead they just request that the extension sign transactions with your keys on their behalf. This means that even if a site gets hacked or does something malicious they can never get your keys.
The code for keychain is open source and is available to anyone here: https://github.com/MattyIce/steem-keychain For the maximum security you can download the code straight from the repo and install it in your browser that way rather than through the chrome or firefox web stores. This ensures that even should the chrome web store account that publishes the extension get hacked and a malicious update be published, your keys would still be safe.
Thanks for the detailed response. This makes much more sense to me.
It is my understanding that the keychain extension is only compatible with desktop internet browsers. Are there plans (or is there even a benefit) for having a mobile version of keychain? If there is, I would vote for that worker proposal since it sounds like you did this basically for free.
Yes, Keychain is only for desktop browsers currently. I would love to do a mobile version and think it is very important for the Steem ecosystem but we just don't have the resources right now. I do plan to submit a worker proposal for that when/if the Steem worker proposal system goes live.
This would be fantastic!
I would love to use Partiko but they want your active key to sign in on mobile.
I simply don’t trust using my active key ever with Steem Connect on a mobile device.
Awesome! I will keep an eye out for it and certainly vote for that proposal when I see it. Thanks.
is there a way to save the password in keychain , so it will not ask it again and again everyday ? I put usually hard passwords and it's hard to remember and I don't like to entre the passoword everyday.
Would this be vulnerable to a user’s computer being hacked? If they gain access on client side then they would be able to gain access to anything their keychain can grant access to? There’s vulnerabilities at every point when there’s an exchange of sensitive information no matter what, correct?
Asking for clearer understanding of the purpose of the keychain. I thought the purpose of having the different keys was for security, if one is compromised others are still potentially safe? But if the keychain is compromised isn’t all of it unsafe?
With Keychain, malicious website code cannot steal your private keys. With Keychain, all signatures are made using the extension, which defaults to you approving every signature.
Using this model, you should never need to enter your Steem private keys into a website, which should greatly reduce the possibilities to have your keys compromised.
Re #1, I think the advantage of KeyChain is compared to single site posting key log-in is marginal, but compared to using a TTP solution like SteemConnect is massive, and Steemit Inc leading the way in implementing it is promising with respect to the potential of doing away with TTPs in the STEEM eco system all together.
It's a first step. An important first step towards a SteemConnect/SteemLogin)TTP free DApp eco system, and a first glimmer of hope after the public support for EIP that Steemit Inc hasn't completely lost all sense of direction.