Nah, it just users browser based javascript to push things around. I cannot say for 100% certain they don't nefariously save them, but they have years of credibility for not breeching trust on that front, so I really don't think they do, and there is no evidence in the console of the JS doing any kind of backend call to their side to stash anything it knows from your side.
Should be fine? No suing me if I am wrong some day!
No worries. 😎
Hey this prompted me to go re-think my answer.
Using HiveSigner to login is as safe as I said. But there's a but...
But if you choose to make a HiveSigner password and save your info with a hivesigner password and login name in front of it, then yes, they would need to save your keys. I have done so, and use it that way in my development testing and before I too, became a Hive Keychain browser extension user for its less clicks and more convenience to do the same thing.
In both cases, if you choose to make a login and retain your information at HiveSigner, you are trusting them with your keys, just like if you sign into Hive.Blog "manually" and directly with your Hive name and private key in their login form on-site.
In Keychain, this is the "the don't prompt me again" checkbox you can choose, but their code is ALL browser side, so they retain in your computer on your side, which can certainly be a risk on publicly accessible machines if the user is sloppy or not careful to logout of the site and keychain account they checked that box on that they are using but in general for personal use computers at home that aren't at risk of the next person after you using them, its no big deal for your own personal browser to cache things like this. It does it with your brick and mortar bank login, after all...
No hivesigner "save my stuff for later" login established, you will be asked every time you make a chain action happen.
No Keychain "Don't prompt me again on this site" checkbox? You'll be asked every time you make a chain action happen.
But both offer options, you can choose or not choose to trust, that do in fact open the keys up to some risks.
Actually, as I think about it and poke around the source code on github for their own site UI, which is published (a key trust indicator itself) they may save them in your browser too, and not in a database on their backend, and that means they would clear out if you clear your browser cache and you'd have to start all over at HiveSigner and set up your key in there again when you do that. Honestly, I am not clear here, but I still think its fine - in regard to HiveSigner, to use them all the same.
I needed to make sure I added this stuff. But I still think both are from solid people and teams, that have ZERO intention of doing anything malicious to their users. They have too much at stake themselves, invested in development time and personal reputations not to take this very seriously here.
Found it straight from the developer/creator's mouth:
Even if you "save" them, I was right in my musings, its all browser side, they know nothing on their side about your private keys ever.
Great! Thanks for looking into the subject so deeply!
!hbit
Pleasure, all card are gambled on this project, I can't afford to let somebody else's project screw it up for my users! :)