Login To Busy Demands Extensive Access For "@busy.app" - This Needs Clarification
Hi everyone,
I just tried to login to Busy.org but I got a very strange message that only had the option "continue" in the sense of "accept". A few days ago it was this one:
... and now it has changed to this one:
No-one without a deeper understanding of busy.org and the Steem environment knows what that means.
So...What Does That Mean? Seriously.
The procedure makes a very untrustworthy impression to me and I would never click ok to this, no matter what it wants from me and who wants it from me. I have several problems with that authorization message:
- It does not have a "continue without accepting" option to approve later.
- It does not explain anything. No-one except for the developers know what this @busy.app is. And what in gods name is meant with posting role?! Does it mean that Busy makes posts in my name? I really don't get it.
- I used Busy before, so it's not the first time that I intended to login, but it's the first time that this message pops up and leaves you no other option but to accept or leave. Why this kind of a solution? It would be better to add a message in a box to click ok after the login.
- The redirection for the login goes via Steemconnect as you can see in the URL bar, which is another indicator of something untrustworthy. Not everyone knows about Steemconnect, and a redirection to an unknown site during the login process is an absolute no-go.
- The new login procedure has a bit more information and I tried to remove the checks from the check boxes, but it turned out that they are just images. That's something a scammer would do.
You really need to fix this or users who used Busy as second platform access in case Steemit doesn't work will quite likely not come back after getting such a message smashed in their faces.
What You Should do About It
A) You should remove the message and return to the state it had before, or
B) Let the message pop up when users are logged in, or
C) You should explain in detail and for non-nerds what the message means, to what extend @busy.app will comment or delete my content, and also why the procedure goes via Steemconnect and does not directly happen on Busy.org, or
D) You should add a "Go Ahead without approval" button, or allow users to remove the checks in the check boxes (if possible) .
My bottom line is: I really would like to know what you want me to accept there. I'm sure, others think alike.
I hope that was clear. If you have questions, let me know in the comments.
Posted on Utopian.io - Rewarding Open Source Contributors
SteemConnect is the trusted way to connect apps to Steem via Steemit.com access. It means the guys at Busy.org never need to have access to your key directly, like the way OpenID works. It looks they've updated to show you exactly what the posting key can do so there has been no effective change, only a UI change.
That's what logging in is so if you don't want to log in you can just not log in and continue using Busy.org without being logged in.
But I agree that there should be an option to choose between permissions. That is for SteemConnect to implement however, not Busy.org
I love busy.org and SteemConnect, my hyper paranoia will never allow me to click that continue button though. Ironically, I have always known this was the access I was granting when using the SteemConnect, but the raw brutal transparency just hit a little too hard.
Let it hit hard and look into the jaws of reality!
That is a great explanation for this whole thing. Maybe they should add that sentence to the login process. Perhaps plus something, like "this is necessary so that Busy.org has access to the Steem blockchain for your account"... or something like that.
How do I post articles and comments on Busy without being logged in?
You can't! But you can use Busy.org for viewing without logging in, that's the only point I make. Otherwise you have to accept it.
I should also say that using your posting key is more secure than you're master key (called the active key), so really at every level they seem to be following best practice here. If your posting key is compromised you can always regenerate it with your master key.
I believe you that, but I strongly doubt that inexperienced or new users are aware of that. The login process simply demands too much pre-existing knowledge about the system and without it, the whole login process looks like a scam.
I can see how you or anyone could come to that conclusion, I don't debate that it should be clearer, I'm just trying to make it clear to you, here 🙂 The ticket has been accepted so looks like they will do something about it.
Yes of course, thanks for the clarification. You actually did help me with that.
This might help you:
https://busy.org/utopian-io/@gregory.latinier/design-of-the-authorize-page-and-add-revoke-tokens
I will check it out.
Wow this is so relieving thank you
Upvoted and resteemed
Thank you for the contribution. It has been approved.
You can contact us on Discord.
[utopian-moderator]
Hey @doodlebear I am @utopian-io. I have just super-voted you at 0.3% Power!
Suggestions https://utopian.io/rules
Achievements
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
What??! I smell a false-positive.