You are viewing a single comment's thread from:

RE: HiveSigner, Hive Keychain, HiveAuth or Enter Your Key On A Site??? (later entry: PeakLock - see update inside about that oversight)

in Hive Polls4 months ago (edited)

I wrote this for @novacadian but I am reposting it under your thread too, so you don't miss my important afterthoughts and extended information here:

Hey this prompted me to go re-think my answer.

Using HiveSigner to login is as safe as I said. But there's a but...

But if you choose to make a HiveSigner password and save your info with a hivesigner password and login name in front of it, then yes, they would need to save your keys. I have done so, and use it that way in my development testing and before I too, became a Hive Keychain browser extension user for its less clicks and more convenience to do the same thing.

Actually, as I think about it and poke around the source code on github for their own site UI, which is published (a key trust indicator itself) they may save them in your browser too, and not in a database on their backend, and that means they would clear out if you clear your browser cache and you'd have to start all over at HiveSigner and set up your key in there again when you do that. Honestly, I am not clear here, but I still think its fine - in regard to HiveSigner, to use them all the same.

In both cases, if you choose to make a login and retain your information at HiveSigner, you are trusting them with your keys, just like if you sign into Hive.Blog "manually" and directly with your Hive name and private key in their login form on-site.

In Keychain, this is the "the don't prompt me again" checkbox you can choose, but their code is ALL browser side, so they retain in your computer on your side, which can certainly be a risk on publicly accessible machines if the user is sloppy or not careful to logout of the site and keychain account they checked that box on that they are using but in general for personal use computers at home that aren't at risk of the next person after you using them, its no big deal for your own personal browser to cache things like this. It does it with your brick and mortar bank login, after all...

No hivesigner "save my stuff for later" login established, you will be asked every time you make a chain action happen.

No Keychain "Don't prompt me again on this site" checkbox? You'll be asked every time you make a chain action happen.

But both offer options, you can choose or not choose to trust, that do in fact open the keys up to some risks.

I needed to make sure I added this stuff. But I still think both are from solid people and teams, that have ZERO intention of doing anything malicious to their users. They have too much at stake themselves, invested in development time and personal reputations not to take this very seriously here.

4 months ago in Hive Polls by
$0.00
    1 vote
    Reply 5
    Sort:  
  • Trending
    • [-]
     4 months ago  

    Found it straight from the developer/creator's mouth:

    Even if you "save" them, I was right in my musings, its all browser side, they know nothing on their side about your private keys ever.

    image.png

    [-]
     4 months ago  

    hey nice, this is really important info. But there is one detail left, if a blackhat (like me) takes control of your PC, they will have access to your browser, so you should always be aware of any abnormal behavior in the browser and PC in general.

    I make this note as an "extra" security measure to everything already mentioned 😀

    $0.00
      Reply
      [-]
       4 months ago  

      Sure, You aren't wrong, Mr Hat of the Dark Persuasion, but you would also have my brick and mortar bank, email, anything really, so that's not a "Hive problem" by itself. That's just normal "owning a computer that has been connected to the internet ever and wasn't airlocked from zero day anyway" stuff.

      $0.00
        Reply