You are viewing a single comment's thread from:

RE: [security] Misuse of Steemconnect login (shouldn't ask active key for every login)

Hi @knowledges, again you're a human knowledge base :) I searched for a while and I even contacted steemconnect via GH, but I couldn't get any answer, so I made this post.

While I agree that it was suggested in the comment! you provided, which of course I didn't know of, proposing formally has its own merit. For instance, age-weighted score for utopian bot was proposed before, but after my proposal, https://steemit.com/utopian-io/@blockchainstudio/utopian-bot-sorting-criteria-improvement-to-prevent-no-voting-for-mid-score-postings, it had been actually implemented. But again regarding the score, I have no objection since it was known to the PO before.

Regarding the security. You misunderstood my intention. I actually worked for information security company before where I also worked on PKI system, so I'm quite familiar with the system. What I meant was NOT that SC stored active key so it's vulnerable. What I meant was, how do you enter your key? Most likely, copy&paste. That step is vulnerable. That's why there're even bots to steal the keys or notify the owner that keys are exposed. So requiring active key should be avoided if possible.

And the workaround shows that it's not difficult to implement. Of course, they may implement in SC3, but you know the last post was already 3 months ago, and this kind of security problem should be resolved very quick. Until SC3 is released with the feature, I believe you'll be more generous on my future suggestions :) Thanks again!

Coin Marketplace

STEEM 0.09
TRX 0.32
JST 0.034
BTC 108283.09
ETH 3863.75
USDT 1.00
SBD 0.63