You are viewing a single comment's thread from:

RE: Warning to users using third party applications - Be extremely careful providing your keys to anyone or any site!

in #security4 years ago

I believe the SteemConnect tool stresses that your active key is not actually given to them and never leaves your browser, though I could be wrong. I also don't have the tech chops to verify this claim but I'd hope someone with a security background could do so by reviewing the application.
SteemConnect is attempting to be the trusted authentication tool to avoid having to give your keys to any sites that are built on the Steem blockchain, and we definitely need something like it.

Sort:  

I've been developing SteemConnect2 tool and I can confirm that WIF or password never leave user browser. Password is directly turned to WIF and just used a single time to create a signature for broadcast an operation. The code is open source and can be reviewed here: https://github.com/adcpm/sc2. At the current stage it still require you to trust Busy team and that our server not get corrupted. We are working with Steemit inc to address these concerns with code reviews and official hosting.

The fact that it doesn't leave your browser is not something that you can rely on. If they get compromised, it doesn't matter whether it goes to the server or not - the same code that keeps it in the browser today comes from that server.

In event of a compromise, it could just serve you code that uploads your keys. How it works today is irrelevant to the security model.

PS: we are actively working on SteemConnect 2 to address this issue of risk and trust.

Wouldn't a local browser solve everything?

Yes, I have heard something along those lines too - thank you for pointing that out. That is why I do still trust it. No matter how much is done though, there is still some level of trust that when you click the button the tool is behaving the way we expect it to. You can never be too careful they say :)