The truth is I use keychain for everything, but I have serious concerns about other sites like hivesigner if one day they are abandoned and it is somehow possible to use those services to phishing other people's keys?
I have always had that doubt, that the service is deprecated and some script kid takes over the posting and active keys of users who still use those services, that can happen.
I don't live in fear of that risk myself, because that isn't how HiveSigner works.
All these tools basically pass your information through to the chain and leave it at that, and in the past I used to audit new keytools for Steem back in the day, but I sort of quit doing that because no significant new ones showed up for a long time, then when they did, they came from some of the most well-known, "esteemed" code creators in the ecosystem so there wasn't too much to worry about.
But I do have concerns when I am asked to enter my keys into an unknown entity and as we grow, there will surely be more unknown entities and nefarious actors in the mix.
It's right to be cautious, but it's also generally possible to know if you are giving your keys to someone who will retain them and know them or not, by investigating how their signing processes actually work.
Of course, that can take some technical know-how or trust in the keychain manufacturer so yeah, it's a tough situation, that's why I made the poll :)
Thanks for answering it!
Yes, the fear that they will somehow keep the keys always persists. I recently read that through the Google Chrome json there was a vulnerability (which has already been corrected of course), in which a backport was created that allowed you to read all the information of the extensions that you used in your browser. And as a result of that, I monitor all the activity on my PC with great paranoia. I have been a Linux user for years and I know things better than the average user.
TYou are absolutely right, fortunately you are one of the coders I know and you give me more confidence, I have been following what you do for a long time (out of curiosity, don't think that I am your stalker haha =D). I like you since I shared your opinion in relation to those +20,000 HBD that were given to a person who has a blog with 40 hp or something like that, that seems completely absurd to me.
Thanks :)
I am pretty sure, if I recall 6 or 7 years ago correctly, that this particular incident was about Ned giving his new girlfriend a huge setup on her brand new account, which was full of Instagram style selfies in wealthy people places, not actually effort-taken-content and it all just seemed so ridiculous back then.
That said, I honestly was more going after Ned at the time, than the hapless girlfriend of his. Mostly for other reasons than using his stake however he wanted to use it, which I am all for, for everyone here, in general. Freedom with your choices and money are the name of the game for sure!
But yeah, that case in particular was pretty absurd to do as the CEO at the time and the public face of the chain back then. But he was always absurd and pretty ridiculous in his immature choices. So it goes. :)
I am referring to Arlete Salas, who recently financed an impressive amount of hbd for an event...I have serious doubts about that.
Oh and to mention that I also like you because we have @por500bolos in common, my dear crazy old man whom I admire very much (he is one of the very rare unicorns that there are here in hive, it should be protected as cultural heritage of humanity and hive, I think we should dissect him when he ceases to exist and put his memory in an AI)
Hey! for you both pair of hippies!!
Ah @por500bolos - we don't need an AI of him, he is already unforgettable, mostly because he himself won't let anyone forget him! 😄
I appreciate the kind words!
Well, I always say that I'm going to dissect him when he's no longer with us, I'm looking for some way to preserve his brain 😄
Alcohol is a good preservative. Buy him a beer :)
I wrote this for @novacadian but I am reposting it under your thread too, so you don't miss my important afterthoughts and extended information here:
Hey this prompted me to go re-think my answer.
Using HiveSigner to login is as safe as I said. But there's a but...
But if you choose to make a HiveSigner password and save your info with a hivesigner password and login name in front of it, then yes, they would need to save your keys. I have done so, and use it that way in my development testing and before I too, became a Hive Keychain browser extension user for its less clicks and more convenience to do the same thing.
Actually, as I think about it and poke around the source code on github for their own site UI, which is published (a key trust indicator itself) they may save them in your browser too, and not in a database on their backend, and that means they would clear out if you clear your browser cache and you'd have to start all over at HiveSigner and set up your key in there again when you do that. Honestly, I am not clear here, but I still think its fine - in regard to HiveSigner, to use them all the same.
In both cases, if you choose to make a login and retain your information at HiveSigner, you are trusting them with your keys, just like if you sign into Hive.Blog "manually" and directly with your Hive name and private key in their login form on-site.
In Keychain, this is the "the don't prompt me again" checkbox you can choose, but their code is ALL browser side, so they retain in your computer on your side, which can certainly be a risk on publicly accessible machines if the user is sloppy or not careful to logout of the site and keychain account they checked that box on that they are using but in general for personal use computers at home that aren't at risk of the next person after you using them, its no big deal for your own personal browser to cache things like this. It does it with your brick and mortar bank login, after all...
No hivesigner "save my stuff for later" login established, you will be asked every time you make a chain action happen.
No Keychain "Don't prompt me again on this site" checkbox? You'll be asked every time you make a chain action happen.
But both offer options, you can choose or not choose to trust, that do in fact open the keys up to some risks.
I needed to make sure I added this stuff. But I still think both are from solid people and teams, that have ZERO intention of doing anything malicious to their users. They have too much at stake themselves, invested in development time and personal reputations not to take this very seriously here.
Found it straight from the developer/creator's mouth:
Even if you "save" them, I was right in my musings, its all browser side, they know nothing on their side about your private keys ever.
hey nice, this is really important info. But there is one detail left, if a blackhat (like me) takes control of your PC, they will have access to your browser, so you should always be aware of any abnormal behavior in the browser and PC in general.
I make this note as an "extra" security measure to everything already mentioned 😀
Sure, You aren't wrong, Mr Hat of the Dark Persuasion, but you would also have my brick and mortar bank, email, anything really, so that's not a "Hive problem" by itself. That's just normal "owning a computer that has been connected to the internet ever and wasn't airlocked from zero day anyway" stuff.