You are viewing a single comment's thread from:
RE: I dissected Streemian.com's user account creation privacy and security code live in a public chat room & found out it's all good!
Hey friend, I'm so glad to see this post! I was in the chat earlier and was really confused and doubtful of the streemian. My main question was - why if they are only using voting permissions, do they not just require that key? The active key is supposed to be for transfers, but that's the one they want. I've held off on joining, even though I want to support my fellow minnows, but I really need to understand what I'm doing to feel comfortable about it. To be honest, I don't understand half of what you're saying in this post, but I trust that you know what you're talking about. Any thoughts on the active vs posting key?
Great question! They don't don't even need your active key to do anything except ONE initial thing... It requires the master key so to speak, to ask steemit.com to allow your account to give THEM the new secret only streemian and steemit will share between each other. It's not one of your account keys at all, it's called an RPC key containing an encoded. "this dudes okay with us" message inside of it.
They never even see your secret stuff. The browser talks only to steemit with what you type in, just like logging in at steemit, "in person". Make sense? It gets back the new streemian specific generated magic password and boom, promptly forgets everything your browser and steemit knew about you as soon as you leave that page.
Okay, that is starting to make sense. Could they not use the posting key to do this though?
No. "Posting" by it's very definition can only "Post" on your behalf. They needed to generate an RPC key to submit votes and scheduled posts and things via a robot that isn't you yourself. That acts like you yourself. It's a different kind of API basically, a simpler one. But it takes permission to make that individual RPC key at the master level of your account to dedicate to streemian for this purpose.
The definition under the posting key says its used for voting also. But perhaps it's the scheduling that makes it not enough?
Honestly, here's the proof I'm not an "insider" defending this app lol. I have no idea what the full range of streemians offerings are. I was in the middle of signing up for the whole Minnow Support Project when this came up in chat, and I dove in to reading code. I know all about how their login auth works, but I have far less idea what they actually sell. I just know that they cannot take over my steemit account or play with muh moneez ;) I could undo or delete anything else they could do, so... who cares? More or less? right?
Lol, well I really appreciate the research and the post, because I was not going to join until I felt good about it. I really don't understand it all, but you really seem to have checked all the bases. I assume you've joined already? My last question about Streemian is regarding being able to cancel or deregister should we decide to. In your findings, did that seem like an easy thing to do?
I joined last night. I must honestly admit I don't know about cancellation. But let's take the example there is a kill switch on your account. Unfortunately they would be storing their personalized key on their side for the operation of their services, and cancelling your account may disable your access to their site, if cancelling IS an option, but I cannot see from outside that they delete their personalized RPC key or not. Again, my position after 30 years in software though, is that is doesn't really matter. If they abused this, so many people would complain to steemit so fast that steemit would kill their RPC keys, and if they don't well, they were never malicious to begin with. Also, if they did, you'd see the activity in your account. They couldn't hide it. It's bad business and there is no valuable reason to "hack" you in the first place. Occam's razor. No reward, no reason to hack. And there is no reward available to them to do so.
Got it. Thank you SOOO much for all the info and answering my questions!! Talk to you soon and have a great night!
I guess I'm concerned about the new secret between streemian and steemit. What will this new key enable? (I mean in a worse case scenario, not just what it's doing on the up and up). I just feel like giving it the "this dude's okay with us" all free permissions seems like a bad idea...
It's only allowed to do what the steemit rpc interface allows. Documentation of that is beyond the scope of this post. This post merely serves to confirm that at no time does streemian ever know your active secret key or steemit password.