You are viewing a single comment's thread from:

RE: Hate putting private keys into websites? Introducing Steem Keychain!

in #steem4 years ago (edited)

Thank you for your work on this and I sure appreciate that it offers a faster and simpler option. I'm not technical, so I don't understand a lot of these things, but my understanding is that browser extensions are not really that secure either. I've always been told it is kind of sketchy to use your password with an extension. Am I wrong there?

Sort:  

This is an important conversation so thank you for bringing it up. As far as I know the security concerns around browser extensions primarily come from fake extensions being listed in the stores that impersonate real ones to steal keys. As long as you are careful to only install and use the legitimate version at the link i shared above there should be no security concern.

I think the fact that Metamask has been widely used for storing Ethereum private keys for a long time now shows that browser extensions can be a secure and user-friendly way to transact on blockchains, and we have built Steem Keychain to work as similarly to Metamask as possible.

With extensions you are placing a large amount of trust in the developer and the codebase. For example, the extension requires permission to:

Read and change all your data on the websites you visit

Hence, a malicious developer could not only steal your Steem credentials but possibly even other types of personal content.

I happen to know @yabapmatt is not malicious. However, there is still the possibility that his account gets hacked and a malicious version of the extension is released to the Chrome store. I'm not sure how common this type of attack is and what sort of screening extensions undergo to prevent this.

So in summary, browser extensions can be secure, as if implemented properly they perform all sensitive tasks client-side, which is good, but also can easily leak sensitive data should they be poorly engineered or created/hijacked by an attacker. Please add to my understanding if it's incomplete.

You have a ability to download the extension to your harddrive and tell Chrome to load it locally. Your copy of the extension would then be updated only when you update the code manually

And how do you download the extension to local HD?

Hi @haejin

The following instructions have been written for a Mac computer, but for a Windows computer, it's very similar:

  • Go to the Steem Keychain GIT repository: https://github.com/MattyIce/steem-keychain
  • Click on the "Clone or Download" green button
  • Select "Download ZIP"
  • Once the ZIP file download successfully, unzip it somewhere on your local HD. For the purpose of this mini-guide, I will assume you have unzipped it under Documents/steem-keychain-master
  • Now, launch Chrome and in the address bar, type chrome://extensions
  • On the top right of the screen, enable the "Developer mode"
  • Now you have three new button showing at the top left, click on "Load unpacked"
  • Browse to Documents
  • click on the folder steem-keychain-master
  • click on the "Select button"
  • You should now see the extension appearing on the screen

To upgrade you will have to download and unzip again and overwrite the files on your local harddrive then go back to chrome://extensions and click the circular arrow icon to reload the extension. Verify its version number to confirm the upgrade.

This is what Chrome extension developers do to test their extensions before uploading it to the Chrome Web Store.

Thanks! Very helpful!
Would an upgrade wipe out prior entered keys?
If one had used steemconnect or entered keys via cop paste in the past, should new keys be generated for the Key Chain; in the event steemconnect or steemit inc. get hacked?

An upgrade should not wipe the entered keys if you don’t remove the extension prior to the upgrade. I have not checked how the extension stores the keys but beware when you clear the browser’s cache as it might also clear the keys depending on the cache clearing options you checked. After checking the extension and testing on another computer, it seems that clearing cache does not clear your keys from the extension, to remove all store keys, you would need to remove the extension itself.

To my knowledge, SteemConnect (from v2) does not store your private keys, it uses you active key to grant posting authority to the dapps that was using SteemConnect. The key is not needed later on when posting or upvoting. The private key is still requested for each transfer or settings request. Utopian got hacked in the past, the hacker could not retrieve the keys because there was nothing to retrieve, they could only use the SteemConnect token to perform the upvotes. If SteemConnect get hacked, just revoke your tokens.

However, if you want to be 100% you have not leaked your keys somehow then yes, go regenerate them. I still recommend you kept your owner key somewhere else safe.

Posted using Partiko iOS

Do you know which option that is, so that I can look out for it if I decide to update or erase cache?

Posted using Partiko Android

Thanks for the detailed explanation Q. I'll look into it and follow your instructions. 👍

Do you develop chrome extensions?

Posted using Partiko Android

I do occasionally

I wanna :D
SoonTM

All good, valid points. There's really no situation where it's completely impossible for keys to ever get stolen. I will say that the extension purposely never stores the owner key or master password for accounts, so if there were to ever be a hack, while that would certainly be bad as active keys and liquid funds could be stolen, it's a much easier situation to recover from since you can just change your keys and not have to go through the account recovery process.

I believe this is still more secure than the system being used now where if any of the sites into which people are putting their keys are hacked, many master passwords will be stolen.

Much more secure indeed in this era of middlemen. I just wish browsers had a much heavier emphasis on security in order to facilitate these tasks with the biggest convenience:security ratio.

Posted using Partiko Android

You are completely right. The safest way is compiling the extension yourself as has been explained elsewhere on this thread.

Posted using Partiko Android

Will it also be used for SMTs like metamask allows for erc20 tokens?

Posted using Partiko Android

Absolutely!

Same worries for me, i wonder if other extensions can see what you are doing if you granted them permissions like "Read all actions, websites, etc.."

Posted using Partiko Android

They definitely can. That's why you have to limit your extension usage and use only trusted and essential ones.

Posted using Partiko Android

The risk exists, indeed, no matter how small. Safest is to make an effort with your own security measures, but this extension sure is more secure than most things we normally use and makes it mal very easy and convenient.

Posted using Partiko Android

Coin Marketplace

STEEM 0.27
TRX 0.07
JST 0.033
BTC 24342.81
ETH 1880.99
USDT 1.00
SBD 3.30