This is really cool. Security is a big concern of mine as well as many other members of the community. I wrote a post a few months back talking about some of the challenges that third party apps present from a security perspective.
I hope you won't mind if I ask a couple of "tough questions" since obviously the security of everyone's keys who use your service is at stake :)
- Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that?
- Is the data that is passed between the client's machine and the server encrypted before sending?
- Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client?
Some of the security experts in the community might have more.
Hey Tim, ofc i dont mind, i'm sure many people would like to know too, here my answers:
Only SteemConnect server can do that.
Yes, it's encrypted using CSRF token on client browser before being sent to server.
It's theoretical possible, SteemConnect decode the posting wif to create a signature then broadcast it to the blockchain. The hacker would need to access the server, change the code then user would need to send request to SteemConnect before we got noticed about that and before the user reset the posting wif.
Thanks for your reply. Users should be aware that at the end of the day, they are still placing their trust in your team to handle their private keys. Most of us already do that with Steemit, Inc. - so I'm not saying it is a huge problem; just something to be aware of.
Personally I would at least rather only have to trust my keys to one or two companies - rather than every single developer that builds a third party app - so at the very least it is a huge step in the right direction.
Out of curiosity, have you thought about or discussed the possibility of having Steemit host this part of the service?
I think the broader ecosystem would be better served by having more well-trusted services and providers (also designs that reduce this reliance altogether) rather than solving every problem by further centralizing on trust of Steemit itself. Perhaps these can be backed up by independent security audits and performance bonds of some sort.
That's a good point / suggestion.
Thank you for your feedback. About Steemit hosting the service we've been thinking about this and it's exactly what we want. IMO this would give a same level of trust than Steemit.com for Steem apps using SteemConnect, so its a big yes for us, but we still didn't discussed much about it with Steemit yet.
👍
please follow my account and help by resteeming and upvoting posts!
I will be able to make great quality posts in the near upcoming future!
cheers and saludos!
Dont hesitate to comment to my posts, i hope you get more followers yourself and I will surely follow you all!
Follow and upvote and resteem me!
Thanks everyone. I hope we can win together here with Steem! A big happy well fed family!
Don’t spam