Hey Tim, ofc i dont mind, i'm sure many people would like to know too, here my answers:
Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that?
Only SteemConnect server can do that.
Is the data that is passed between the client's machine and the server encrypted before sending?
Yes, it's encrypted using CSRF token on client browser before being sent to server.
Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client?
It's theoretical possible, SteemConnect decode the posting wif to create a signature then broadcast it to the blockchain. The hacker would need to access the server, change the code then user would need to send request to SteemConnect before we got noticed about that and before the user reset the posting wif.
Thanks for your reply. Users should be aware that at the end of the day, they are still placing their trust in your team to handle their private keys. Most of us already do that with Steemit, Inc. - so I'm not saying it is a huge problem; just something to be aware of.
Personally I would at least rather only have to trust my keys to one or two companies - rather than every single developer that builds a third party app - so at the very least it is a huge step in the right direction.
Out of curiosity, have you thought about or discussed the possibility of having Steemit host this part of the service?
I think the broader ecosystem would be better served by having more well-trusted services and providers (also designs that reduce this reliance altogether) rather than solving every problem by further centralizing on trust of Steemit itself. Perhaps these can be backed up by independent security audits and performance bonds of some sort.
That's a good point / suggestion.
Thank you for your feedback. About Steemit hosting the service we've been thinking about this and it's exactly what we want. IMO this would give a same level of trust than Steemit.com for Steem apps using SteemConnect, so its a big yes for us, but we still didn't discussed much about it with Steemit yet.
👍