It is always great to be hyper vigilant when an application is asking for your Active key as opposed to Posting key. You're absolutely right that the rule of thumb is do not use your active key or provide it to anyone else unless absolutely necessary. HOWEVER, in the case of SteemConnect, it is not actually using any of your keys. Your keys are encrypted locally and never shared with SteemConnect. SteemConnect is an open source (which means everyone can check the code to ensure it's secure) project done as a collaboration between Steemit and Busy and intended to be THE method for signing into Steem applications across the internet. SteemConnect is the ONLY service we recommend. Good job staying vigilant!
Each application created through SteemConnect is a separate Steem account managed by both owner and steem connect.
The high privileges are necessary at the approval moment because of this:
SteemConnect will update your account, enabling the application itself to be 3rd party poster in your behalf.
The applications are usually suffixed with a .app name because only SteemConnect control the application key.
When then, the app posts in your name, it's NOT Your posting key being used to sign, but the application posting key, which only SteemConnect knows.
This makes the application posting on your name, only possible though SteemConnect and the permission you gave the application can be revoked at any time.
It is always great to be hyper vigilant when an application is asking for your Active key as opposed to Posting key. You're absolutely right that the rule of thumb is do not use your active key or provide it to anyone else unless absolutely necessary. HOWEVER, in the case of SteemConnect, it is not actually using any of your keys. Your keys are encrypted locally and never shared with SteemConnect. SteemConnect is an open source (which means everyone can check the code to ensure it's secure) project done as a collaboration between Steemit and Busy and intended to be THE method for signing into Steem applications across the internet. SteemConnect is the ONLY service we recommend. Good job staying vigilant!
Andrew Levine
Content Director, Steemit
Thx for the answer. Is There a reason Not enabling Posting key?
Do yiu recommend storing active key AT Firefox cause this what my Phone showed me.
@felix.herrmann just understand this:
Each application created through SteemConnect is a separate Steem account managed by both owner and steem connect.
The high privileges are necessary at the approval moment because of this:
SteemConnect will update your account, enabling the application itself to be 3rd party poster in your behalf.
The applications are usually suffixed with a .app name because only SteemConnect control the application key.
When then, the app posts in your name, it's NOT Your posting key being used to sign, but the application posting key, which only SteemConnect knows.
This makes the application posting on your name, only possible though SteemConnect and the permission you gave the application can be revoked at any time.
thx for explanation
This is the communication we all love to see. Thanks @andrarchy for making this known.