The website is a tool for curators and delegators. Registering doesn't make sense for anyone else.
Implementing keychain is being discussed, but as that requires the use of an extra app on mobile I'm still on the edge about it.
In the end it always comes down to trust, as without putting your keys in somewhere you couldn't use any webservice. If you use steemconnect, you have to trust the team behind that, if you use keychain you trust the author of the browser plugin or the mobile app. If you enter your key on a website you trust the creator of that site. In that case that's me.
Keychain and steemconnect are useful tools for sites with an unknown creator, as the trust is given to someone you or at least most of the community know. I like to think of myself as at least as trustworthy as anyone involved in those projects :D and personally I just feel better knowing that the security of a project published under my name doesn't depend on a 3rd party. Which it somehow still does, because of the javascript library for steem which I use, but that's taking things a bit too far now ;)
I can assure you that the keys are never sent to the server. Keeping those safe would be a responsibility I wouldn't want to take. It's not my first app for steem, and previous ones (Steemdice r.i.p., https://steeminvite.com) even require the active key.
You don't have to take me by my word, all my code is published on github, so anyone who can read it can check there. Or just get the javascript files directly from their browser, as it doesn't necessarily have to be the same as on github (they are here, but that's again a trust issue if you don't check for yourself). Also, anyone can press F12 in their browser, go to the network tab, and see what data is transmitted.
The website is a tool for curators and delegators. Registering doesn't make sense for anyone else.
Implementing keychain is being discussed, but as that requires the use of an extra app on mobile I'm still on the edge about it.
In the end it always comes down to trust, as without putting your keys in somewhere you couldn't use any webservice. If you use steemconnect, you have to trust the team behind that, if you use keychain you trust the author of the browser plugin or the mobile app. If you enter your key on a website you trust the creator of that site. In that case that's me.
Keychain and steemconnect are useful tools for sites with an unknown creator, as the trust is given to someone you or at least most of the community know. I like to think of myself as at least as trustworthy as anyone involved in those projects :D and personally I just feel better knowing that the security of a project published under my name doesn't depend on a 3rd party. Which it somehow still does, because of the javascript library for steem which I use, but that's taking things a bit too far now ;)
I can assure you that the keys are never sent to the server. Keeping those safe would be a responsibility I wouldn't want to take. It's not my first app for steem, and previous ones (Steemdice r.i.p., https://steeminvite.com) even require the active key.
You don't have to take me by my word, all my code is published on github, so anyone who can read it can check there. Or just get the javascript files directly from their browser, as it doesn't necessarily have to be the same as on github (they are here, but that's again a trust issue if you don't check for yourself). Also, anyone can press F12 in their browser, go to the network tab, and see what data is transmitted.