@pharesim How will this be used/incorporated into the Steemit environment? I am a big fan of digital signatures, when they are done right. (I am a security guy)
You are viewing a single comment's thread from:
@pharesim How will this be used/incorporated into the Steemit environment? I am a big fan of digital signatures, when they are done right. (I am a security guy)
This will be used to sign transactions with the private key, so you don't have to send your key to the server of service providers. Just like steemit does it, but as a seperate library for everyone to use.
@pharesim: Do you know how the steemit.com website stores our private keys in memory? Are they using any form of local storage, or is it just held in a global variable that survives across all the events?
I'm a backend developer, but AFAIK we use local storage to serve the posting key. When active/owner keys are needed (e.g. for transfers or markets), the user's asked for their password, which is used to re-derive the key. The active/owner keys themselves are never stored. (This was a recent change implemented as part of the response to the attack ~3 weeks ago.)
Thanks for the response. I'm just concerned about moving forward with this strategy (holding key in local storage) because I have read a good deal that this approach is vulnerable to XSS attacks.
Is there way to sign transaction without user's password but only private key of posting/active/owner, etc ? Thanks!
No, didn't check that yet. Only the conversion parts.
What I found with a quick search was https://github.com/steemit/steemit.com/blob/master/app/components/modules/LoginForm.jsx#L64 - there's the "stay logged in" in local storage as far as I understand. Didn't find the credentials though...
Nice. Sounds more efficient. My concern would be for the security of a potentially exposed private key. Nasty things happen when those are compromised. Please keep the community updated on the security being instituted to protect such valuable bits. Doing so may keep the natives from becoming restless.