Steemit's Security Values & How Steem Keychain Can Help

in #steemit6 years ago

Steemit's Security Values & How Steem Keychain Can Help

There have been a whole bunch of updates made to the Steem Keychain browser extension since it's initial launch three months ago, and I sincerely apologize for not having posted about them in all this time.

Most of you have hopefully already seen the updates in the extension anyway, so please show your appreciation to @stoodkev who is the primary developer responsible for it.

In any case, I promise I will post about all of the new and upcoming features soon, but first I wanted to talk about something in SteemIt, Inc's recently published Mission, Vision, and Values statement which you can read here: https://steemit.com/about.html

Under the "Security" section, which is one of the Values, it says the following (emphasis mine):

This principle has led us to preferred use of client-side signing for cryptocurrency use on steemit.com, which means all transactions are pushed by the user while Steemit, Inc. never has access to, nor sees the user’s private keys

This statement immediately jumped out at me because it is technically not true. Steemit.com, Steem Connect, and many other steem-based sites require you to enter your private key into a text field on the website to log in and use the site. This means that the site operator does have access to your private key. We just have to trust that they do not access it, and we have to trust that the servers hosting the website have not been compromised.

This is the exact reason that the Steem Keychain browser extension was created. It allows websites to request that the extension sign and broadcast transactions for them, so that the user never has to enter their private keys into the site directly. This means that even with a malicious site operator, or a compromised server, your keys are safe.

@eonwarped has generously donated his time to integrate the Steem Keychain extension into the condenser code that runs steemit.com and has submitted a pull request to merge that code into the main condenser code repository so that it can be put live on steemit.com. You can try out a version of condenser with Steem Keychain integration right now at https://cryptoempirebot.com which @eonwarped is hosting.

Many people that I speak to about the Steem platform, who are more familiar with using apps on other blockchain platforms such as Ethereum, balk at the concept of having to put your private key into a website, and cannot believe that's the way things are done here. It's great that we can now tell them that they can use the Steem Keychain extension instead, which alleviates their concerns, but unfortunately it is still not integrated into many Steem-based sites, including, and most importantly, steemit.com.

If Steemit, Inc really does value security, I would strongly urge them to work with us to get the pull request merged and add Steem Keychain support to steemit.com. If the community also agrees, @aggroed and I would appreciate your support by voicing your opinion to try to make this happen.

In the meantime, I would encourage all of you to check out https://steeve.app which is a fantastic front-end for the Steem blockchain and also includes full Steem Keychain support.

For those of you not familiar with the Steem Keychain extension, you can read about it in our introductory post, and download it for the Google Chrome or Brave web browsers here (Firefox and Opera support coming soon).


View this post on Steeve, an AI-powered Steem interface

Sort:  

Why you always sleep not post

Magic Dice has rewarded your post with a 66% upvote. Thanks for playing Magic Dice.

I thought that Steemit.com don't store keys and it's client side app.

I have few questions:

  1. How are my keys stored in keycahin?
  2. It's been 3 months and no Firefox support yet? When do you plan to do it?

Posted using Partiko Android

It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.

Thank you for explanation :)

I thought that Steemit.com don't store keys and it's client side app.

That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.

To answer your questions:

  1. How are my keys stored in keycahin?

Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.

  1. It's been 3 months and no Firefox support yet? When do you plan to do it?

Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!

Posted using Steeve, an AI-powered Steem interface

Yes, you're right, but here's why Keychain is still a better solution (IMO):

  1. It's MUCH easier to install and run the Keychain extension locally than it is to do the same for Condenser; and
  2. If you use the Keychain extension then you can securely use your keys on ANY Steem-based website that supports Keychain (which will hopefully be almost all of them in the near future) whereas you can't realistically install and run every Steem-based website you want to use locally.
  3. It avoids copy/paste errors. I know I've forgotten that I had a private key copied to my clipboard from logging into a Steem-based site and accidentally pasted it somewhere it wasn't supposed to go. Luckily I never published it or anything, but I know people who have and who lost funds because of it.

Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.

Is there a way to verify that the code that I install from the Chrome Web Store is the same as on GitHub?

When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.

Thank you for your conversation.

Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man

hey man, in the words of @walden ,lets go, lets go mother fucker, huh?

U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET

hah cant u imagine walden sayin that?

Thank you :)

If I will have any time, maybe I will take a look into code to see if I can help.

I'm fairly certain you can use Chrome extensions on Firefox. Not positive if this one will work or not.

I tried, didn't work for me.

Dang, that sucks. I just bit the bullet and started using Chrome lol

I ll optimize the extension for Firefox in the near future.

shouldnt you be using golos? :P dasvidonyetsk

Looking forward to see it live in condenser! Awesome job @eonwarped!
For Firefox users, optimizing the extension for your browser will be on my plate in the near future.
For Opera users, you can already use it but you ll need to install "Install Chrome extensions" on the Opera store first.

thanks for great info

Adding keychain to my browser is still on my "to-do" list, so I couldn't add any meaningful comment to this post. I got as far as downloading the chrome browser weeks back, transferring my bookmark favorites over, and "saved" the rest for another day. Another day turned into another day and another day..but it is definitely on my list!

On a side note, Mello mentioned the meetup a couple weeks back and I saw part of it on the youtube video. I was there in spirit! He shared some exciting news. We will definitely look into the opportunity. I hope all is well with you!

I´ve tried to use the browser extension with steeve.app but I am getting problems. Is that an issue with steeve or the extension?

Bildschirmfoto 2019-01-21 um 18.04.31.png

It looks like you just need to add the private memo key to keychain for your account. If you open up the extension and go into settings -> Manage Accounts you should be able to enter the key there.

Posted using Steeve, an AI-powered Steem interface

That's actually something I was wondering about - wouldn't it be simpler to authenticate via posting-key? Most people add at least their posting-key and just a few, who know what the memo key is, are adding that one as well, IMO.

Yea that's a good point. I'll reach out to the steeve team about that.

The condenser uses posting key to sign a challenge message to the server so likely this can change the mechanism too. That's something the keychain can do now.

Platform problems with the Steve App? Pepperidge Farm remembers... Try a lil Kerosine oil.

Keychain is not only the most secure App to access other Steem related sites. It also functions as a great Web Wallet as well. You can send / receive Steem to anyone or just claim your rewards and manage delegations.
I hope steemit.inc sees the great user potential here and will integrate Keychain soon!

This story was recommended by Steeve to its users and upvoted by one or more of them.

Check @steeveapp to learn more about Steeve, an AI-powered Steem interface.

Does keychain support escrow transactions?

Posted using Partiko Android

is there any way how we can contribute/donate to this project?
This is all incredible work, thanks for doing it. @stoodkev @eonwarped and of course @yabapmatt

If you're a developer and want to help out, let me know! Otherwise I mentioned that @eonwarped has done all the work for the condenser PR on his own time/cost so I'm sure a donation to him to support this work would go a long way. @stoodkev, @aggroed, and I would just appreciate your support for our witnesses.

Already approved !!!

Thanks! Any reason why Steem is becoming one of the few major blockchains without hardware (e.g. Ledger) support?? Is nobody interested? Scatter already supports EOS, Tron and ethereum..why not add Steem and be able to sign transaction with a Ledger?

Hi @yabapmatt!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 8.317 which ranks you at #14 across all Steem accounts.
Your rank has dropped 1 places in the last three days (old rank 13).

In our last Algorithmic Curation Round, consisting of 240 contributions, your post is ranked at #1. Congratulations!

Evaluation of your UA score:
  • Your follower network is great!
  • The readers appreciate your great work!
  • Great user engagement! You rock!

Feel free to join our @steem-ua Discord server

Hi, @yabapmatt!

You just got a 1.37% upvote from SteemPlus!
To get higher upvotes, earn more SteemPlus Points (SPP). On your Steemit wallet, check your SPP balance and click on "How to earn SPP?" to find out all the ways to earn.
If you're not using SteemPlus yet, please check our last posts in here to see the many ways in which SteemPlus can improve your Steem experience on Steemit and Busy.

This would be a great addition for Steemit.com and a good sign of cooperation if Steemit Inc rolls through with this

Posted using Partiko iOS

Great work! Hopefully you get some support :)

No doubt is a need.... 1+1

I would love to see this happen across all the DApps. Great initiative.

Going to work on implementing this for my project -- Been having issues w/ SteemConnect anyways.

Is there a rough ETA on Firefox support?

I'll get it working by this week or next , I'm on it already

Dope! You're a good man!

Keychain is a necessity. Safety always comes first in crypto. We are a big target for hackers.

I like steemit, it's not like any other social network. Steemit gives knowledge and money.

Posted using Partiko Android

Seems like a step up in secure. Any thoughts on Steem 2fa?

Posted using Partiko Android

The development of Steemit.com needs to be turned over to the community. Steemit Inc is too slow in a fast paced industry.

Awesome, going to download!

Muy bueno tu articulo de verdad me parece bastante interesante

Interesting.

Yes, this is the question that most steemians worry about. The browsser is a good solution, though that would be uncertain if it might draw the bad guy's attention.

100% support the Keychain project. IMO this is what the community truly need and this should be on one of the top priority in the dev list. Shame the company fail to see how crucial this component is. Keychain makes many DAPP on Steem possible and one of them are the Dice game that requires rapid-firing.

However, I think Keychain should provide a way for user to whitelist certain transaction so the repeated popup can be avoided. Matured crypto extension like Scatter support the whitelist feature so it would definitely enhance the experience of using it especially in a DAPP like dice game.

This feature has already been implemented a while ago. You can whitelist a certain operation requested by a certain website. Only transactions using the active key cannot be whitelisted

Active key transaction is exactly what I meant actually. What was the concern not to allow whitelisting transaction that requires actuve permission?

I understand user's fund maybe at stake and that might sounds like posting a risk to the real money. But at least provide an option for those who would like to whitelist that kind of operation? That would really helps the mass adoption of Steem especially in the DAPP like dice game. And that to me is the final form how Keychain should be like. Users get to customize it to their most convenience.

Posted using Partiko Android

A website whitelisted to use active authority by a user could, if falling into wrong hands :

  • Instantly steal all of the user's liquid assets
  • Broadcast an account update that would change the private keys and therefore take control of the account
  • Initiate power down, etc.

I think the tradeoff between security and convenience is too big here, thats why we only authorize listing for actions requiring posting authority, since they don t have a direct impact on stake.

the tradeoff between security and convenience is too big

I agree and they are all valid concerns. But you can still offer user the ability to decide whether they are willing to go for the tradeoff or not. Maybe the whitelisting process can be more hidden in the setting or put up a significant warning sign in the whitelist page for active authority. Option are tons.

Congratulations @yabapmatt!
Your post was mentioned in the Steem Hit Parade in the following category:

  • Pending payout - Ranked 2 with $ 170,5

Interesting information.

Thank you!

Would be nice to filter only posts in English. Always looking for a way to explore new content on Steemit, but looks like most aren't in English.

Interesting, I always thought it was weird that some sites asked for private keys directly, I just never really understood why. This surely cleared it up a bit. I’ll look into getting keychain now.

This post has been included in the latest edition of SOS Daily News - a digest of all you need to know about the State of Steem.



Did @ned or @elipowell have any comments on this?

Steemit's Security Values & How Steem Keychain Can Help,yes i agry with you

Is there any plans for a desktop version?

Thanks anyways for the updates still. It is worth sharing

Magic Dice has rewarded your post with a 14% upvote. Thanks for playing Magic Dice.

Why is it so difficult for developers to begin with the standard API -WebExtensions- which works on every single modern browser -even Edge- and then customize it for each of them?

Posted using Partiko Android

Give my son back his money _ 5 hours ago Transfer 56.000 STEEM to smartmarket https://steemit.com/freedom/@shepz1/i-set-off-to-see-the-world-and-i-did-not-like-what-i-left-behin

Or!

I don't run or have any affiliation with smartmarket...I believe that is run by @therealwolf

Thanks for the info, much appreciated.

Hello!

I am a community manager at Snax. We are trying to make public blockchain based on EOS node. Snax chain will provide transactions over social networks, token supply based on user social influence.

Snax as well as Steemit rewards its users for the content created, but Snax works as overlay solution over existing social networks (e.g. Twitter)

We have no ICO. We already have a testnet, mainnet will be launched this month, and we currently looking for great candidates for Block Producers like yourself. You can find out more about us at our website snax.one

If our project is interesting for you, please let me know by emailing me at [email protected]

Looking forward to hearing from you, and keep rocking this world!

@yabapmatt DUDE i just realized, if you sold a little USB dongle to hold your key like a little useful gimmick, I would buy it and many steemians would love it. it would bereally cool to have a keypad enabled hardware wallet for use with steem that could be as simple as a special doingle you needed to make keychain sign transactions... even if it was just a basic standard key fob usbkeychain encrypted usb key thingy..... and had a custom steem engraving or whatever, and worked with ru software, man thatd be legit...

You deserve really to be call Master...infact you are!!!