RE: Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps by fabien

View this thread on: hive.blog | peakd.com | ecency.com

Viewing a response to: @timcliff/re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t154600299z

steemconnect · @fabien · Dec 8 '16

$0.04

Hey Tim, ofc i dont mind,  i'm sure many people would like to know too, here my answers: 
> Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that?

Only SteemConnect server can do that.
> Is the data that is passed between the client's machine and the server encrypted before sending?

Yes, it's encrypted using CSRF token on client browser before being sent to server.

> Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client?

It's theoretical possible, SteemConnect decode the posting wif to create a signature then broadcast it to the blockchain. The hacker would need to access the server, change the code then user would need to send request to SteemConnect before we got noticed about that and before the user reset the posting wif.

👍 aizensou, inertia, timcliff, bitcoinparadise, crok, seb, voterinterstpool, dealzgal, whalepool, codewithcheese, adigiovanni, wesoccer2003, lijshaw

`author`	fabien
`permlink`	re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t170242818z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 17:02:42
`last_update`	2016-12-08 17:02:42
`depth`	2
`children`	5
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.029 HBD
`curator_payout_value`	0.009 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,154
`author_reputation`	16,649,367,183,999
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,952,922
`net_rshares`	759,744,394,519
`author_curate_reward`	""

properties (23)vote details (13)

voter	rshares	pct
aizensou	605,075,197,055	100%
crok	4,999,097,241	100%
inertia	115,629,088,054	100%
seb	719,356,359	100%
whalepool	51,281,623	100%
timcliff	24,768,898,212	25%
bitcoinparadise	8,312,760,410	100%
dealzgal	52,358,076	100%
voterinterstpool	136,357,489	100%
lijshaw	0	100%
wesoccer2003	0	100%
adigiovanni	0	100%
codewithcheese	0	100%

@timcliff · Dec 8 '16 (edited)

$0.46

Thanks for your reply. Users should be aware that at the end of the day, they are still placing their trust in your team to handle their private keys. Most of us already do that with Steemit, Inc. - so I'm not saying it is a huge problem; just something to be aware of. 

Personally I would at least rather only have to trust my keys to one or two companies - rather than every single developer that builds a third party app - so at the very least it is a **huge** step in the right direction.

Out of curiosity, have you thought about or discussed the possibility of having Steemit host this part of the service?

👍 arhag, robrigo, inertia, thecryptofiend, bitcoinparadise, voterinterstpool, avinigo, sirex, lijshaw

`author`	timcliff
`permlink`	re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t173340502z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 17:33:39
`last_update`	2016-12-08 17:35:09
`depth`	3
`children`	4
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.348 HBD
`curator_payout_value`	0.115 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	613
`author_reputation`	272,954,445,077,789
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,953,159
`net_rshares`	4,803,646,031,377
`author_curate_reward`	""

properties (23)vote details (9)

voter	rshares	pct
arhag	4,314,006,307,792	50%
thecryptofiend	13,476,532,233	1%
robrigo	352,084,985,399	100%
inertia	115,629,088,054	100%
bitcoinparadise	8,312,760,410	100%
voterinterstpool	136,357,489	100%
lijshaw	0	100%
sirex	0	100%
avinigo	0	100%

@fabien · Dec 8 '16

Thank you for your feedback. About Steemit hosting the service we've been thinking about this and it's exactly what we want. IMO this would give a same level of trust than Steemit.com for Steem apps using SteemConnect, so its a big yes for us, but we still didn't discussed much about it with Steemit yet.

👍 inertia, timcliff, thecryptofiend, bitcoinparadise, crok, seb, voterinterstpool, whalepool, lijshaw

`author`	fabien
`permlink`	re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t182515135z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 18:25:15
`last_update`	2016-12-08 18:25:15
`depth`	4
`children`	1
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	305
`author_reputation`	16,649,367,183,999
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,953,598
`net_rshares`	165,843,647,388
`author_curate_reward`	""

properties (23)vote details (9)

voter	rshares	pct
thecryptofiend	13,476,532,233	1%
crok	4,999,097,241	100%
inertia	115,629,088,054	100%
seb	719,356,359	100%
whalepool	51,281,623	100%
timcliff	22,519,173,979	25%
bitcoinparadise	8,312,760,410	100%
voterinterstpool	136,357,489	100%
lijshaw	0	100%

@timcliff · Dec 8 '16

👍

👍 carterliu, lijshaw

`author`	timcliff
`permlink`	re-fabien-re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t182833695z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 18:28:33
`last_update`	2016-12-08 18:28:33
`depth`	5
`children`	0
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1
`author_reputation`	272,954,445,077,789
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,953,635
`net_rshares`	0
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
lijshaw	0 B		0	100%
carterliu	0 B		0	0%

@smooth · Dec 8 '16

$0.09

I think the broader ecosystem would be better served by having more well-trusted services and providers (also designs that reduce this reliance altogether) rather than solving every problem by further centralizing on trust of Steemit itself. Perhaps these can be backed up by independent security audits and performance bonds of some sort.

👍 roelandp, ekitcho, robrigo, inertia, timcliff, bitcoinparadise, crok, seb, lijshaw

`author`	smooth
`permlink`	re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t221900200z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 22:19:00
`last_update`	2016-12-08 22:19:00
`depth`	4
`children`	1
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.074 HBD
`curator_payout_value`	0.013 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	339
`author_reputation`	253,602,537,834,068
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,955,749
`net_rshares`	1,881,573,794,884
`author_curate_reward`	""

properties (23)vote details (9)

voter	rshares	pct
crok	4,826,714,578	100%
roelandp	851,414,993,510	100%
robrigo	352,084,985,399	100%
inertia	115,629,088,054	100%
seb	719,356,359	100%
timcliff	22,521,957,742	25%
ekitcho	526,063,938,832	100%
bitcoinparadise	8,312,760,410	100%
lijshaw	0	100%

@timcliff · Dec 8 '16

That's a good point / suggestion.

👍 lijshaw

`author`	timcliff
`permlink`	re-smooth-re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t225743863z
`category`	steemconnect
`json_metadata`	{"tags":["steemconnect"]}
`created`	2016-12-08 22:57:45
`last_update`	2016-12-08 22:57:45
`depth`	5
`children`	0
`last_payout`	2017-01-08 20:06:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	33
`author_reputation`	272,954,445,077,789
`root_title`	"Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,956,029
`net_rshares`	0
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
lijshaw	0 B		0	100%