Viewing a response to: @busy.org/introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps
This is really cool. Security is a big concern of mine as well as many other members of the community. I wrote <a href="https://steemit.com/security/@timcliff/steem-tools-development-centralized-steemit-com-vs-decentralized-app-center-security-concerns">a post</a> a few months back talking about some of the challenges that third party apps present from a security perspective. I hope you won't mind if I ask a couple of "tough questions" since obviously the security of everyone's keys who use your service is at stake :) - Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that? - Is the data that is passed between the client's machine and the server encrypted before sending? - Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client? Some of the security experts in the community might have more.
| author | timcliff |
|---|---|
| permlink | re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t154600299z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"],"links":["https://steemit.com/security/@timcliff/steem-tools-development-centralized-steemit-com-vs-decentralized-app-center-security-concerns"]} |
| created | 2016-12-08 15:46:00 |
| last_update | 2016-12-08 15:54:30 |
| depth | 1 |
| children | 8 |
| last_payout | 2017-01-08 20:06:27 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.039 HBD |
| curator_payout_value | 0.003 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 1,217 |
| author_reputation | 272,954,445,077,789 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,952,327 |
| net_rshares | 958,013,738,117 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| klye | 0 | 139,018,936,866 | 100% | ||
| thecryptofiend | 0 | 13,476,532,233 | 1% | ||
| crok | 0 | 4,999,097,241 | 100% | ||
| catchfire | 0 | 28,300,615,588 | 100% | ||
| igster | 0 | 25,138,820,209 | 100% | ||
| inertia | 0 | 115,629,088,054 | 100% | ||
| seb | 0 | 719,356,359 | 100% | ||
| whalepool | 0 | 51,281,623 | 100% | ||
| timcliff | 0 | 94,572,156,811 | 100% | ||
| ekitcho | 0 | 526,063,552,199 | 100% | ||
| bitcoinparadise | 0 | 8,493,472,593 | 100% | ||
| inarix03 | 0 | 50,182,131 | 100% | ||
| dealzgal | 0 | 52,358,076 | 100% | ||
| voterinterstpool | 0 | 139,198,270 | 100% | ||
| codydeeds | 0 | 1,309,089,864 | 100% | ||
| lijshaw | 0 | 0 | 100% | ||
| wesoccer2003 | 0 | 0 | 100% | ||
| adigiovanni | 0 | 0 | 100% | ||
| codewithcheese | 0 | 0 | 100% | ||
| shreyasgune | 0 | 0 | 100% | ||
| sirex | 0 | 0 | 100% | ||
| hrj | 0 | 0 | 100% | ||
| renegadetrader | 0 | 0 | 100% | ||
| kongen | 0 | 0 | 100% | ||
| avinigo | 0 | 0 | 100% |
Hey Tim, ofc i dont mind, i'm sure many people would like to know too, here my answers: > Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that? Only SteemConnect server can do that. > Is the data that is passed between the client's machine and the server encrypted before sending? Yes, it's encrypted using CSRF token on client browser before being sent to server. > Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client? It's theoretical possible, SteemConnect decode the posting wif to create a signature then broadcast it to the blockchain. The hacker would need to access the server, change the code then user would need to send request to SteemConnect before we got noticed about that and before the user reset the posting wif.
| author | fabien |
|---|---|
| permlink | re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t170242818z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"]} |
| created | 2016-12-08 17:02:42 |
| last_update | 2016-12-08 17:02:42 |
| depth | 2 |
| children | 5 |
| last_payout | 2017-01-08 20:06:27 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.029 HBD |
| curator_payout_value | 0.009 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 1,154 |
| author_reputation | 16,649,367,183,999 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,952,922 |
| net_rshares | 759,744,394,519 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| aizensou | 0 | 605,075,197,055 | 100% | ||
| crok | 0 | 4,999,097,241 | 100% | ||
| inertia | 0 | 115,629,088,054 | 100% | ||
| seb | 0 | 719,356,359 | 100% | ||
| whalepool | 0 | 51,281,623 | 100% | ||
| timcliff | 0 | 24,768,898,212 | 25% | ||
| bitcoinparadise | 0 | 8,312,760,410 | 100% | ||
| dealzgal | 0 | 52,358,076 | 100% | ||
| voterinterstpool | 0 | 136,357,489 | 100% | ||
| lijshaw | 0 | 0 | 100% | ||
| wesoccer2003 | 0 | 0 | 100% | ||
| adigiovanni | 0 | 0 | 100% | ||
| codewithcheese | 0 | 0 | 100% |
Thanks for your reply. Users should be aware that at the end of the day, they are still placing their trust in your team to handle their private keys. Most of us already do that with Steemit, Inc. - so I'm not saying it is a huge problem; just something to be aware of. Personally I would at least rather only have to trust my keys to one or two companies - rather than every single developer that builds a third party app - so at the very least it is a **huge** step in the right direction. Out of curiosity, have you thought about or discussed the possibility of having Steemit host this part of the service?
| author | timcliff |
|---|---|
| permlink | re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t173340502z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"]} |
| created | 2016-12-08 17:33:39 |
| last_update | 2016-12-08 17:35:09 |
| depth | 3 |
| children | 4 |
| last_payout | 2017-01-08 20:06:27 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.348 HBD |
| curator_payout_value | 0.115 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 613 |
| author_reputation | 272,954,445,077,789 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,953,159 |
| net_rshares | 4,803,646,031,377 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| arhag | 0 | 4,314,006,307,792 | 50% | ||
| thecryptofiend | 0 | 13,476,532,233 | 1% | ||
| robrigo | 0 | 352,084,985,399 | 100% | ||
| inertia | 0 | 115,629,088,054 | 100% | ||
| bitcoinparadise | 0 | 8,312,760,410 | 100% | ||
| voterinterstpool | 0 | 136,357,489 | 100% | ||
| lijshaw | 0 | 0 | 100% | ||
| sirex | 0 | 0 | 100% | ||
| avinigo | 0 | 0 | 100% |
Thank you for your feedback. About Steemit hosting the service we've been thinking about this and it's exactly what we want. IMO this would give a same level of trust than Steemit.com for Steem apps using SteemConnect, so its a big yes for us, but we still didn't discussed much about it with Steemit yet.
| author | fabien |
|---|---|
| permlink | re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t182515135z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"]} |
| created | 2016-12-08 18:25:15 |
| last_update | 2016-12-08 18:25:15 |
| depth | 4 |
| children | 1 |
| last_payout | 2017-01-08 20:06:27 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 305 |
| author_reputation | 16,649,367,183,999 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,953,598 |
| net_rshares | 165,843,647,388 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| thecryptofiend | 0 | 13,476,532,233 | 1% | ||
| crok | 0 | 4,999,097,241 | 100% | ||
| inertia | 0 | 115,629,088,054 | 100% | ||
| seb | 0 | 719,356,359 | 100% | ||
| whalepool | 0 | 51,281,623 | 100% | ||
| timcliff | 0 | 22,519,173,979 | 25% | ||
| bitcoinparadise | 0 | 8,312,760,410 | 100% | ||
| voterinterstpool | 0 | 136,357,489 | 100% | ||
| lijshaw | 0 | 0 | 100% |
I think the broader ecosystem would be better served by having more well-trusted services and providers (also designs that reduce this reliance altogether) rather than solving every problem by further centralizing on trust of Steemit itself. Perhaps these can be backed up by independent security audits and performance bonds of some sort.
| author | smooth |
|---|---|
| permlink | re-timcliff-re-fabien-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20161208t221900200z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"]} |
| created | 2016-12-08 22:19:00 |
| last_update | 2016-12-08 22:19:00 |
| depth | 4 |
| children | 1 |
| last_payout | 2017-01-08 20:06:27 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.074 HBD |
| curator_payout_value | 0.013 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 339 |
| author_reputation | 253,602,537,834,068 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,955,749 |
| net_rshares | 1,881,573,794,884 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| crok | 0 | 4,826,714,578 | 100% | ||
| roelandp | 0 | 851,414,993,510 | 100% | ||
| robrigo | 0 | 352,084,985,399 | 100% | ||
| inertia | 0 | 115,629,088,054 | 100% | ||
| seb | 0 | 719,356,359 | 100% | ||
| timcliff | 0 | 22,521,957,742 | 25% | ||
| ekitcho | 0 | 526,063,938,832 | 100% | ||
| bitcoinparadise | 0 | 8,312,760,410 | 100% | ||
| lijshaw | 0 | 0 | 100% |
please follow my account and help by resteeming and upvoting posts! I will be able to make great quality posts in the near upcoming future! cheers and saludos! Dont hesitate to comment to my posts, i hope you get more followers yourself and I will surely follow you all! Follow and upvote and resteem me! Thanks everyone. I hope we can win together here with Steem! A big happy well fed family!
| author | kongen |
|---|---|
| permlink | re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20180318t153907720z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"],"app":"steemit/0.1"} |
| created | 2018-03-18 15:39:09 |
| last_update | 2018-03-18 15:39:09 |
| depth | 2 |
| children | 1 |
| last_payout | 2018-03-25 15:39:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 398 |
| author_reputation | -80,612,357,479 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 45,160,934 |
| net_rshares | -285,320,734,980 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| timcliff | 0 | -285,850,461,316 | -20% | ||
| kongen | 0 | 529,726,336 | 100% | ||
| avinigo | 0 | 0 | -100% |
Don’t spam
| author | timcliff |
|---|---|
| permlink | re-kongen-re-timcliff-re-busyorg-introducing-steemconnect-by-busy-identity-authentication-authorization-for-steem-blockchain-s-apps-20180318t174458230z |
| category | steemconnect |
| json_metadata | {"tags":["steemconnect"],"app":"steemit/0.1"} |
| created | 2018-03-18 17:44:57 |
| last_update | 2018-03-18 17:44:57 |
| depth | 3 |
| children | 0 |
| last_payout | 2018-03-25 17:44:57 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 10 |
| author_reputation | 272,954,445,077,789 |
| root_title | "Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps" |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 45,181,653 |
| net_rshares | 0 |
hiveblocks