Thanks for ping! From what I read, you are right. You can always go to https://hivesigner.com/auths page and revoke apps which you don't use or need. Always know what app you are giving permission and for what reason. Nobody has access to your keys when hivesigner is used.
You are viewing a single comment's thread from:
I didn't know about https://hivesigner.com/auths ! It gives exactly the functionality I was thinking I'd need Peakd for--a place to maintain authorizations for Dapps--but I don't need to give hivesigner posting authority (like Peakd seems to need) to have access to this "dashboard."
Hive Keychain looks interesting too, a nice option that is also open source: https://github.com/stoodkev/hive-keychain . I definitely like the fact that I can theoretically post using only my posting key with Hive Keychain. It theoretically suggest I'd never have to give posting authority or keys to any Dapp (or dApp as they capitalize it on github--but capitalize it Dapp on the Chrome and Firefox extension pages). However, I'd have to test to see if I really can revoke posting authority for both 3speak and PeakD, change my posting key for Hive.blog, install the Hive Keychain extension, give it only my posting key, and then still use all three Dapps exactly the same.
If so, the only downside is that Hive Keychain is an extension, and too many extensions can be exhausting to maintain (sure it's safe today, but what about years from now when you forget about it and the twenty other wallet extensions people are expected to have--all of them, by necessity, needing to have access to everything you do in the browser, and any one of them could have some currently-unknown vulnerability). But if I really only need to save in the extension my relatively-weak posting key and I dont have to give any Dapps posting authority, then that upside may make it worth it.
Regarding this line by Revo:
I'm actually more worried about someone intercepting/compromising a Dapp or extension, never getting my key at all, never needing my key, and still making malicious posts on my behalf. If a Dapp can post on my behalf, then I need not be there at all, right? Someone takes over this hypothetical hivedapp.whatever, I don't remove my authority in time, they can post anything as "me" or am I wrong? Further, it's possible there might be an exploit in an extension that still keeps my key on my local machine, but nonetheless still rogue-posts to Dapps without me even seeing it, unless I remove the extension in time. Of course, since the extensions I know of (Hive Keychain for Chrome, Hive Keychain for Firefox, Hivesigner for Chrome--there is no Hivesigner for Firefox) are open source and likely properly vetted by SMEs, that's less likely. But maybe it's a browser update that actually causes the liability. Maybe another extension (say, a malicious wallet for another coin) is the liability, maybe it changes what you think you are about to post at the last second and the hive extension has no idea. Regardless there are definitely scenarios where your key is never intercepted, but the hive extension allows a malicious post nonetheless, no?
Well, I say I'm "more worried," but I'm still not actually that worried. I'll actually start worrying about post impersonation when Hive becomes more popular than Facebook. And there are obvious workarounds. Give and remove posting authority every time you use a Dapp. Install and remove the extensions every time you need them. I don't think there's a solution to the necessary trade-off of security and ease.
Thanks everyone for the information.
For one of many reasons, we are deprecating Hivesigner extension, will solely focus on improving web portal. Your concerns are real and there are certain trade offs and solutions. Of course, that's why always use apps you trust, posting authority/key doesn't allow token related operations so it is safer from financial hacks but social hacks (posting/voting) might happen if you share your keys or apps get hacked. With OAuth2 Hivesigner uses, we are able to mitigate some forms of app hacks. In short, better be safe than sorry, always take care of your keys