You are viewing a single comment's thread from:
RE: Steeminvite temporarily closed
So... steemconnect v2 sucks? I'm always uncomfortable when sites ask for this and that when they should just need the posting key. Guess I'd be more well-read on all of this if I had more assets at risk because I have no idea what you mean by that statement.
No, it doesn't generally suck. In most cases it's a good alternative.
Security always is a trade off.
When you give out your keys, they can be stolen. This is a problem when new apps show up, as they may not be trusted by the general userbase and thus won't be used.
Steemconnect V2 doesn't require your keys, but adds another account to your list of authorities, so it can act in your name. Every app using steemconnect has an own account for that, so you always have an overview who you share your authoritiy with.
The downside here is that with a long list of authorities, it's not immediately obvious which one performed an action. They can post or vote in your name without you being online. And there have been a few cases already where apps used this without explicit user consent.
I don't think it's necessary for me to use steemconnect for trust reasons (they don't support the create action, so you'll have to enter the private active key later anyway), and deem it the better choice to not give away any rights permanently - the keys remain on the user's device, and are only used to verify the identity/sign the transaction at account creation.
Yeah, that agar.io clone I've been playing needed the active key when supposedly it just needs to post a message for you in each game's thread, I asked about it and haven't received word back. That makes me uneasy, but I don't have any liquid funds so I didn't care.
I think I get what you're saying, if an independent use of the private key is happening in the first place with steeminvite then not having it connected through steemconnect is actually safer in case steeminvite itself actually gets compromised, right? Especially considering most users won't manually de-authorize it after it's no longer needed.
I've noticed that when I post on busy for example I can't see it was posted on busy, the [] is not comforting at all.
Thank you for your responses, and steeminvite was seemless when I used it, so thank you for making it in the first place and keeping us in the loop.
You don't need to give posting authority though. You can sign one-off actions and require interaction with steemconnect at every action, no? Seems like a great fit for steeminvite.
e.g. steembottracker and smartsteem both follow this pattern.
Unless I'm missing something.
The only transaction to sign, create_account_with_delegation, is not supported by them anyway.
Oh, well that certainly kills it :)