You are viewing a single comment's thread from:

RE: No one who runs a project worth a damn on Steem will ever ask for your keys.

in #warning5 years ago

If we can't trust giving the private posting key to third party apps, then there is not point in having it, not the key hierarchy...

And for as long as Steem connect requires 3 clicks and a separate password to use, I would rather have apps ask for a posting key (while ideally, but not necessarily, also offering Steem connect and Keychain as an option for those who want that).

Storing the private posting key of users have many advantages for convenience to allow posting after a Steem node has been down without requiring a new tx to be signed.

If we can't provide that level of convenience, then we may as well forget being a social platform..

Sort:  

if we can’t provide that level of convenience, then we may as well forget being a social media platform

I feel like your statement is throwing the baby out with the bathwater. It’s not just a social media platform. It’s also a high tech bank where the security is up to the user based on the provided tools. And unfortunately, the tools are as they are because the world is so vicious. As such, levels of convenience have to be sacrificed to keep everyone's account as secure as necessary. And because convenience is a selling factor, there has to be a delicate balance. Not convenient enough and people don’t come here, but if it’s too convenient it’s not secure enough.

That's why you have a key hierarchy. To provide high level of security for one's asset while also allowing for convenience of use of the social parts. We can give users both, which is one of the biggest success factors Steem have.

So no, I don't buy for a second that it has to be more secure. It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

Eh, I'm going to disagree with this because I feel like it sets users up for failure if they choose a lesser security. Because if/when something goes wrong (and they inevitably will), their word-of-mouth about how horrible an experience they had on this "scammy" platform is a powerful force which might keep potential new users from signing up. Besides, with the "customer" in mind, I don't consider "it's too secure" to be a valid complaint. That's like complaining that the safety ratings of a vehicle are "too high".

I think it is more asking for a bit of vigilance, vs. being a passive user that trusts everything. If everybody takes a bit more responsibility, this place will be much better off, and I will not have to zero my downvotes un-scamming accounts like superheroes...

Oh, I absolutely agree with the parts telling people not to trust apps that promises free votes etc. But he goes way beyond that to assert that no decent apps will ask for the user's private posting key, or store them. This is just flat out false, as there can be many good reasons to do this. Or at least offer it as an alternative.

The posting key is something you should be able to use more frequently. Else, we may as well not have it at all.

You're confusing developers like yourself who spent months on months on just their mvps vs developers who are throwing sites together with no care for user security. The former are rare, the later are 99% of them. The risk to typical users who don't want to wake up to their account compromised is tremendous. Even good dapps get hacked. Tasteem, Dlike, Faircrew exchange, Utopian back when just to name a few off the top of my head. It happens. 3 clicks is on Steem Connect is a small inconvenience which is already taken by those same users for other dapps.

For me, Steem Keychain support is a MUST. If not that then at least SteemConnect. Otherwise, "No Thanks".