You are viewing a single comment's thread from:

RE: Steem Tools Development - Centralized Steemit.com vs. Decentralized App Center (Security Concerns)

in #security9 years ago (edited)

Very good and valid points here. The way streemian.com deals with it it the following: users add the 'streemian' account to their posting authority. That step does not add a key but the actual streemian user name to your posting authority. The (big) difference with using accounts instead of keys to 'share' permissions is that can change the streemian keys any time without the need to inform the user or ask him for permissiobs or worse, ask the user to change the key.
This way, the whole concept can be made bery secure by using rotating keys on the streemian account which can of course also be automated nicely.
It's not yet implemented, but the idea is to automatically (and seemlessly) change any (hot) keys in the atreemian account once a week or every day. Its just a matter of organization to keep the service up and running during transition.

That said, the underlying tech is so great that it can be made robust and secure for the end user while no funds or identities are at a risk for very long.

Sort:  

Interesting. So instead of handing over my keys, I am basically saying that another user is authorized to post/vote on my behalf? I did not know that was even possible. I still don't 100% trust that, but it does feel better than handing over my key :)

I still feel though that there is a lot of potential for new app/feature development that is going to require the use of keys though. And even with just granting authority, there is still the problem of trusting random app developers with the authority to take actions on behalf of one's account.

I think it is something we need to think a lot about, because a lot of users are going to be very wary of who they grant authority to, especially when money is involved. Trust is very important.

I fully agree with all you say!
From the perspective of streemian, this is the best option that offers what is needed and keeps a minimun of security over users accounts (in this case reputation, not funds)

I wanna know more about streemian.com, especially the voting system. Did it mean that it will vote automatically?

@xeroc may have more to add, but here is the post that has all the main information about the site:
https://steemit.com/streemian/@streemian/streemian-com-operation-follow-the-votes

Problem is only those who have cli_wallet are qualified to use the tool. I dont have cli_wallet and I dont even know how to use it.

I like how instead of it just being controlled by one giant whale, it's a scheme to allow users to follow the votes of others. I imagine that eventually it will be a feature integrated into the platform and work as a smart contract, obviating the security problems.

I totally agree. That kind of gets at the point in my article too. If this was integrated into the main site, I would totally use it!

@xeroc is the number one Steem app developer, IMHO. I'm pretty sure they already have some idea to put it in as a feature down the track. I'm quite sure they will soon. Not sure if it was your article, or another (I'm reading without full context) but they have a concept for Steem Curator Guilds coming up, where you 'lend' your SP to other users to curate with. Obviously that will be a reward for you as well.

It'll probably be called SteemTrain too, cos when you get a vote from a Streemian curator, next thing you know, 20 more votes come in. I just had it happen to me today even!

Replying here due to the nesting level.

Right on; and that's awesome. Either the integration of Streemian or the voting guilds would be a great enhancement!

My article was more on the broader topic of Steem app development though. Even though @xeroc may be able to and is likely to do this, the general trend has been for developers to build separate apps that stand alone from the main Steemit site.

If most of the apps are their own stand alone applications, then the security concerns brought up in my article will continue to be a concern.

@xeroc - I came across this post yesterday. I don't have as good of an understanding of the technical details behind how it all works. Would this potentially be a solution to the problem? The main downside I see is that it would probably require the user's browser to remain open and logged in to the site for it to work.

https://steemit.com/steemit/@digital-wisdom/introducing-steem-browsifier-full-access-to-the-steem-api-from-the-browser