RE: REMINDER: STEEMIT Scripts available to "Hide/Show ReSTEEMS", enable your "Post Vote Slider", and to "Vote Past Payout"!
What are your thoughts about @armandocat's Extension
Steemit More Info He has posted the source on github.
Privacy - Do I steal your data?
I do not access your private keys. The only way I could do it, is if you go to your wallet page and click on "show private key". But I don't do it!Should you trust me? Well, I believe is better not to trust anyone. That's why the source code of the extension is available on github and you can (and you are encourage to) look and study it!
The way it works is by scraping the webpage and the url of the page you are looking at to extract your username and the username of the user you are looking at. Then it uses steem-js to get informations about that user. This process doesn't involve any private key! In fact, you can see informations of other users as well, even if you obbiuvsly don't know their private keys.
Definitely looks like a great piece of work he's done. I had thought of adding some of those features (such as the votepower value, etc), though I ended up putting them into my Discord WhaleBoT (used by well over a dozen STEEMIT-related discord chat rooms now) instead, since I was hesitant to add too much more "weight" to the web interface. For example, while he is packed in a whole lot of new features, the javascript code alone is over 1.3 megabytes, versus my two scripts coming in under 20 kb!
Regardless, it's still really cool what he put together, not to mention that he's already released the complete code on github, along with the relevant "security" warnings and "caveat emptors". I still have a "thing" for using the features as an extension, though. But given the scope of what he put together, it probably was the correct way to go in this case. And of course, if it makes sense to do so, perhaps some of the simpler features could still be ported into a simpler TamperMonkey script as well.
Alex, why the need for a private key for these scripts? Those scripts are not posting for us and they live in a sandbox or?
my scripts don't need access to any private keys, because they hook into STEEMIT's post voting methods.
HOWEVER, any script that runs inside the STEEMIT.com browser "sandbox" can potentially access any of the same private keys that STEEMIT can.
Why should they run inside that sandbox?
how else would they modify the GUI, even if only to add a single button such as "hide resteems" along with the javascript code to hide/show resteemed elements?
Well as I'd imagine sending everything that has to be signed in a message to a private memory space you'd do the same for objects which need to modified. I'd believe you if you'd say that it wouldn't be very efficient and practical but from a security standpoint. If we'd be talking about private keys to big funds then I would let my private keys live in an encrypted vault like
KeyChainon MacOS and just send messages to be signed through the sandbox back and forth. But in any case thanks for explaining, I should probably write up a post about it and research this topic. It's been years I've looked at these problems so...But indeed now I realize that you'd have to authorize everything by hand if you were to send messages anyway which would make the whole thing unpractical.
👏👏👏
Yeah man thanks for having patience with me I really appreciate it. You know I always wanted to find out things for myself and I like to dream and imagine :-)
It would be fairly trivial for an update to the extension to intercept your password as you logged in.
You're right, that's why I suggested people to install the extension by downloading the project code from github and install that instead of the official chrome extension. The chrome extension is auto updating when a new version is released. Of course, the downside is that every time a new versions comes out, you need to install it manually. I didn't even want to publish the extension on chrome extension store, but lot of people asked me to do that, so I did it!
I guess now anyone has the ability to choose the way they prefer!
Kudos to you for offering it that way. You might want to suggest that people login to Steemit with only their Posting Key.
I would like to know as well.
first time I have used an extension.
I tried the "Steemit More Info" extension and it definitely does many cool things, though as I expected, it does add a bit of "weight" to STEEMIT. Also, it does seem to work with my "Hide ReSteems" script, but not with my "Post Vote / Expired Post" script, since my script creates a new vote slider, and the "Steemit More Info" extension also modifies some elements targeted by my script, while also creating its own "voting bar" as well.
I really enjoyed and appreciated the voting bar script you made for lower SP users. That enhanced my steemit experience and allowed me to upvote more often without draining my VP. I've been telling people about the script, getting the word out.
I still use the "hide resteem" script, it works even with the tile setting in "more info", although there are blank spaces for the resteems.
Do you see any privacy or security concerns with the "Steemit More Info" extension? @ironshield
Glad you're making use of the scripts and find them so useful! As for the "Steemit More Info", I think it's most likely safe to use, especially given all the code's on github. To thoroughly audit it though, you'd have to go through all the included javascript files and libraries.
I gave it a quick run through, and I felt comfortable enough try it out, if that's any indication. As such, you could use his extension in conjunction with my "Hide ReSTEEMs" toggle. I also noticed that it worked with the tiles as well!
Unfortunately, as I mentioned it doesn't currently work with my "Vote Slider" script, though perhaps at some point he'll consider adding some of these features directly into his extension as well.
quick note...it appears to me that the biggest danger comes from using a browser extension at all, because it could be updated at any moment to include new code. Downloading the source code and running the extension yourself in dev mode only takes a few minutes more, and it won't auto-update...so if somebody compromised my chrome dev keys or the 'steemit more info' dev keys, they could push nasty updates out automatically.
If you install the source via dev mode, that avenue is no longer possible.
nice clarification @itchykitten. That's also how I tried out the extensions, by directly installing them from their respective github repos.