Steem Secure aspire to be an alternative for Steem Connect, which has got security holes.
With this update I added all availible methods of Steem blockchain database API and update Project Logo.
Steem Connect provides for thirdparties application token with rights to post, comment or vote in our name. However as we saw on utopian example this token may be stored by thirdparty and then used against users in utopian case by hackers, imagine what would happen if steem connect token would give utopian rights to transfer funds.
Steem Secure Login is browser extension which signs transaction with our private keys and gives thirdparties opportunity to use its interface and ask for broadcast transaction, it never shows user private keys and works as prebuild login system.
Steem Stecure Login In its final Version will be considered as fully functioning steem blockchain login system.
Thirdparties will not have to implement any login system by themselfes.
What have been done
-
All steem blockchain methods have been implemented, changes were necessary to start working on applications privileges and warning popups. Changes were pretty simple from development perspective, but they took a lot of time to apply because of lot of repeatable code to write.
Programming interface is similar to Steem-Js interface with one difference -> You never pass to the method your private key.
Example how you comment with steem-js
steem.broadcast.comment(wif, parentAuthor, parentPermlink, author, permlink, title, body, jsonMetadata, function(err, result) { console.log(err, result); });
Example how you comment with Steem Secure Login
SteemSecure.broadcast.comment(parentAuthor, parentPermlink, permlink, title, body, jsonMetadata, function(err, result) { console.log(err, result); });
You see wif and author parameters are ommited. That's the way it is with all methods.
-
Friendly graphic designer prepared logo for the project.
Old one:
New One
There is also logo with higher resolution added to the project.
Comming Soon
- First Release for chrome, opera, and firefox
- Warning popups (for example if you give webpage privalege to transfer money for you, you will be notified if such operation occurs and have to confirm popup
- Programming interface extend for: callback when user log in, callback if he logout
- Method to open login window (extension popup window) programatically also
- Method to get log in user name
Authors github, repository and Pull requests
How to contribute
- Contributors can find me through github I am reading projects issues regularly.
- Through steem.chat where I have nick name "bartosz"
- Through facebook.com, where they will find me under name "Bartosz Kurek". My profile image matches the one I've got on steemit.com and utopian.io.
Posted on Utopian.io - Rewarding Open Source Contributors
Nice effort put in providing an alternative to some features of SteemConnect.
Be careful of the callback hell (http://callbackhell.com)
You could also add eslint (https://eslint.org/) to your project to help write a more modern javascript with best practices
Your contribution has been evaluated according to Utopian rules and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post,Click here
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
Hey @gregory.latinier
Here's a tip for your valuable feedback! @Utopian-io loves and incentivises informative comments.
Contributing on Utopian
Learn how to contribute on our website.
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!
Thank you for valiable feedback, all hints are very useful.
I think, I will start refactoring as soon as I achieve final look. At this moment of time I want to provide, document and release for you first really secure version.
Ok so now I'll comment as a SteemConnect dev :)
First you can't say that without providing any kind of prood or code analysis. But if you got some thing concrete, please, by all means, tell us about it. We'll be more than happy to fix it.
The utopian 'hack' was really unfortunate but the issue was with their servers and had nothing to do with SteemConnect. And I would even not call it a hack. When you have the keys to the house you can't consider this breaking in.
Here again that is the proof that you don't understand what is done by SteemConnect. Like I said in some of my posts:
SteemConnect has authority on apps created on the website. Those apps don't hold the keys to the account. Even app owners (they are more app creators) don't have those keys. So no money can (well shouldn't) move from or to those accounts.
When a user authorizes an app on his account it means that the app is added in the posting auths.
Check my profile on https://steemd.com/@gregory.latinier you will see that apps are added only in the posting field
So no transfers what so ever can occur using SteemConnect related apps. I've repeated it many times !
Lastly your solution requires an action from the user but how do you solve problems where a vote, a post, a comment must be wrote from the server side of an app for an automated task.
So please be careful when you're making assumptions about other projects and be sure of what you're talking about.
Nevertheless it nice to see developers making an effort on the Steem ecosystem!
Keep working on that.
I think, I understand your solution. I think there are security holes which you won't cover and by that I mean, thirdparties poor security. SteemConnect always trust thirdparties, my solution does not. With your system even after adding IP verification there is always possibility hackers will brake on thirdparty server and send some transactions with usage of stemconnect token.
I think it could be devastating for trustment to any thirdparty.
Your solution does not provide live transactions options (and because of its nature its good), my solution can provide it.
My solution assums very limited or even no trustment for thirdparty webpages, you never know how poorly they could be done.
I understand disadvantages of my solution, neccesity of installation, not ful cover of mobile browsers and no possibility of server side processes (like automated voting), however if you want give someone your private posting key, go ahead and do it there is no need for steemconnect I don't see a big threat in that. I gave my posting key long time ago to
steemvoter.com
I treat security in blockchain technology very serious and I think when more thirdparties will occur and more upvotes would be stolen, people may really stop trust your solution, although the thirdparties will be responsible.
What you think about my opinion and concerns?
Hey @bartosz546
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Contributing on Utopian
Learn how to contribute on our website or by watching this tutorial on Youtube.
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!
Congratulations @bartosz546! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the total payout received
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP