SteemConnect is the worst login option for security by far. Saying that you don’t trust an app if it doesn’t support steemconnect is completely retarded
You are viewing a single comment's thread from:
SteemConnect is the worst login option for security by far. Saying that you don’t trust an app if it doesn’t support steemconnect is completely retarded
Agreed. If it's only for login, why would we need to delegate our keys to SteemConnect just to prove our identity? It is just silly unless the dapp needs more from you than to actually verify your identity. As for actually delegating authority to act on our behalve, I think Steemit Inc should be looking at Agora type capability secure smart contract based options for that instead of the crude course grained TTP solution SteemConnect provides. Seriously, it is 2018 and STEEM is a bleeding blockchain, why are we still using a centralised TTP as if it was 1998? Surely the Steemit Inc crowd could do way better than this if they would put these heads to it.
With SteemConnect you don't need to delegate posting authority to prove your identity. It's never been the case.
Yes it has. You can't login using the SteemConnect TTP unless you delegate it (and more) to the SteemConnect TTP.
You can, but if you don't believe me you can try by yourself, go on smartsteem.com and click login, you will see that posting authority delegation is not necessary.
Uhm, the TTP doesn't delegate authority to the dapp, but the user still needs to delegate a lot of her authority to the TTP. There is no "sign this token with your memo key" login, no "use this token in the memo field of a micro transaction" option, the only option the user gets to proof it's identity is using a TTP that in turn can only be used if you trust the TTP with your keys. That is a whole lot of trust to put in a TTP if all I want to do is use a few services that merely want me to prove my account ownership.
Yes, I've seen people using steemconnect to unknowingly "hack" people's keys. This happens. They are simply linking a link to enable all permissions and tell users they will give "upvotes" if they do. They didn't tell them about the permissions of course :D
Why is that? The worst is to having to trust every each Steem based websites to secure your key.
Or the Steem based website uses steem keychain and solves the problem. =)
Would you care to elaborate on that?
DTube store keys in localStorage, if someone hack DTube server he can modify the code to retreive users keys. When Utopian was hacked, the hacker only got some expirable token, users keys never been exposed.
Many sites are using offline tokens, if they get hacked, the users are screwed equally like putting the private key directly into. But the hacker doesn't even need to get it from the localStorage but take it directly from the database of the server. And its not really easy to prevent phishing here either.
Why not making a solution like steem keychain for all browsers? =)
Yeah did everyone forget utopian-io and the compromised keys via steemconnect? I guess so. Amnesia?