Reasons why you shouldn't ask for or share private posting keyssteemCreated with Sketch.

in steemdev •  last year

There is a misconception in this community, that using your private posting key to login into outside services is safe.

public-private-key.png

That is not true, here is why:

While a bad actor having your private posting key can not take your money, they could exploit and eventually damage your account in a lot of other ways.

In Steem you "Mine" (as in proof of work(+brain?)) with you private posting key.
The cumulative reward for that act is 7% of steem's yearly inflation.

Meaning, if one want piece of that pie, they need to pool some SP, then use the private posting keys that control it to do their deeds.

And what better way of doing that, than starting a service that collects private posting keys, for whatever reason.

There already are upvote botnets that are making their money that way.
Some of them are legitimate services (I use the @shadowbot voting pool),
but can you trust anyone with the power to do right by you, now or in the future ?

Can you trust them to be secure enough to not get hacked and leak your keys ?

Leasing SP costs money. There are services that enable you to lease your SP, or get some and power up your votes (https://steemit.com/@minnowbooster)

From here, it gets darker...

You could bring one's reputation to the ground with enough SP backed downvotes.
You could hide posts on steemit.com

That is abuse. And abuse brings the @steemcleaners,
and your account provider (Steemit Inc).

You don't want to be in a situation where these guys show up.
That means you've became a victim of abuse,
or your account is wrecking havoc on the blockchain.

and darker...

With you private posting key, one could edit all posts and comments, deface your profile or worse - change all the links to a phishing sites or ones with a drive-by exploits on them.

Afterwards all bets are off and some people will get burned.

And that's why, if you are a developer of a new or existing service around steem, don't ask for private posting keys if you don't really need them.

If you need the ability to post or vote for a user,
generate your own and use multi-sig through https://steemconnect.com/
Check out how https://streemian.com/ is doing it (Github)

P.S. I know some people will point out that most of the services keeping the keys inside the browser.

How sure are you ?
Especially when you get the latest version every time you go to the service's URL.

When was the last time you did inspect the code, as it was running in your browser ?
Was it minified ?

The things one could do after collecting the keys, they can do by simple code injection...

You should always think of ways to minimize the attack surface and need for trust when entrusted with people's money (or keys).

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Excellent post @zinovi
The only service I use my private key are chainbb, eSteem and busy...I hope they listen and ensure steemians are safe. I hope busy is strong enough as they also have option for password and username.
Am thinking of 2FA Google authenticator ...wouldn't it be a good idea to have extra security like block chain did...?

This post has received a 0.52 % upvote from @drotto thanks to: @banjo.

Good post. Thanks for raising awareness on protecting our Steemit account. We should only consider sharing our posting keys with thoroughly vetted third party sources. As you stated, posting keys do not allow access to money but unauthorized and malicious activity by unscrupulous actors could have ruinous results.

·

Thanks.

Raising awareness about the reasons why you should protect your keys is just one side of the equation.

There are better ways of implementing the same functionality without asking for the primary private keys. In a perfect world there should be no need for them to leave your personal wallet.

Even now, if you know what you are doing you could generate multiple private keys, one for each service that you use and only of the kind that the service need.

Then it becomes easier to later remove the keys of services that misbehave.
That way only your account provider will still have power over you.

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

interesting your post...
tanks for sharing.

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Excellent post!
Just last night i had a long chat about making my trail safer by using steemconnect V2 from the guys @busy instead of asking for the ppk...

I just finished a chat with @fabien who pointed me in the right direction to the clean solution i wanted!

Excellent post!
Just last night i had a long chat about making my trail safer by using steemconnect V2 from the guys @busy instead of asking for the ppk...

I just finished a chat with @fabien who pointed me in the right direction to the clean solution i wanted!

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You got your First payout
Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Congratulations @zinovi! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard and the Veterans on Steemit - The First Community Badge.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!