A new start for SteemConnect
Dear Steemians,
We are pleased to announce that a new version of SteemConnect is under construction. Since we’ve started, 683 Steem based apps have integrated SteemConnect 2. Despite the great adoption there is few downsides we come across and we believe there is a lot of room for improvements. We’ve proposed a new version of SteemConnect to Steemit Inc. and it was received with a lot of support. We got a lot of great feedback from the community and this new version will be taking them to heart, it will be more decentralized, more flexible, cross platform and give a higher level of security to the users.
SteemConnect will also no longer be owned by Steemit Inc. but instead be a community driven project managed by me @fabien, @sekhmet and @almost-digital. I would like to thank Steemit for their continuous support all along the way, it has been a pleasure working together.
If you are interested to know what’s to come next, follow @steemscript and stay tuned, we are going to publish a series of posts shortly!
Cheers!
amazing! cant wait
If an app doesn't have SteemConnect, I don't trust it :D
Same here, with the only exception being Steem Monsters. Luckily they only ask for the Posting Key, so it would not even be a big problem if there was a security breach with the Steem Monster website.
SteemConnect is the worst login option for security by far. Saying that you don’t trust an app if it doesn’t support steemconnect is completely retarded
Agreed. If it's only for login, why would we need to delegate our keys to SteemConnect just to prove our identity? It is just silly unless the dapp needs more from you than to actually verify your identity. As for actually delegating authority to act on our behalve, I think Steemit Inc should be looking at Agora type capability secure smart contract based options for that instead of the crude course grained TTP solution SteemConnect provides. Seriously, it is 2018 and STEEM is a bleeding blockchain, why are we still using a centralised TTP as if it was 1998? Surely the Steemit Inc crowd could do way better than this if they would put these heads to it.
With SteemConnect you don't need to delegate posting authority to prove your identity. It's never been the case.
Yes it has. You can't login using the SteemConnect TTP unless you delegate it (and more) to the SteemConnect TTP.
You can, but if you don't believe me you can try by yourself, go on smartsteem.com and click login, you will see that posting authority delegation is not necessary.
Uhm, the TTP doesn't delegate authority to the dapp, but the user still needs to delegate a lot of her authority to the TTP. There is no "sign this token with your memo key" login, no "use this token in the memo field of a micro transaction" option, the only option the user gets to proof it's identity is using a TTP that in turn can only be used if you trust the TTP with your keys. That is a whole lot of trust to put in a TTP if all I want to do is use a few services that merely want me to prove my account ownership.
Yet, how many of the 683 apps don't just verify identify, but actually asks by default for posting and voting auth? I bet its like 95%
Please give us data, and stop derailing useful conversations
Yes, I've seen people using steemconnect to unknowingly "hack" people's keys. This happens. They are simply linking a link to enable all permissions and tell users they will give "upvotes" if they do. They didn't tell them about the permissions of course :D
Why is that? The worst is to having to trust every each Steem based websites to secure your key.
We talked about that hundreds of times, including in private messages. I don't feel like arguing anymore because I'm tired of it and I guess if Steem It Inc isn't funding SteemConnect anymore, it probably means I argued good enough in the past.
SO LONG STEEMCONNECT
P.S: Told you so 2 years ago ;)
Or the Steem based website uses steem keychain and solves the problem. =)
Would you care to elaborate on that?
Is a proof by example good enough? Utopian, about 1 year ago. Pictures of flowers everywhere?
Nobody hacked DTube or posting keys. Why? Because I dont store keys or 'tokens' that replace them in a centralized db, its literally staying in your PC and cant get massively hacked ever.
DTube store keys in localStorage, if someone hack DTube server he can modify the code to retreive users keys. When Utopian was hacked, the hacker only got some expirable token, users keys never been exposed.
And btw no it’s not local storage it’s indexedDB
A posting key can be reset at any time with the master.
DTube never got hacked this way, because my github account is way more secure than all servers setup by apps using auth of users
Many sites are using offline tokens, if they get hacked, the users are screwed equally like putting the private key directly into. But the hacker doesn't even need to get it from the localStorage but take it directly from the database of the server. And its not really easy to prevent phishing here either.
Why not making a solution like steem keychain for all browsers? =)
Yeah did everyone forget utopian-io and the compromised keys via steemconnect? I guess so. Amnesia?
SteemConnect is very much overused for authentication IMHO. Seriously, why use SteemConnect only to allow a user to proof his/her identity when you can simply use a micro transaction for that. We should have less SteemConnect usage by Apps and more micro-transaction based authentication. So, actually, if an App could use micro transactions but user SteemConnect instead, then I don't trust it😉
Microtransactions are not free, it would be visible on the chain (everyone would know when you login), and require your active key. I'm not sure how is that good for the users.
It is good for the user because it does not require trusting a TTP with your keys. How is this hard to grasp?
I like steemconnect, but would prefer to use keychain. Keychain has some other benefits like not having to need to trust the site with your keys and you get to confirm every single action as long as you don't give the site the power to not need to send confirmations.
Great news!
python client is ready for the changes. :)
This is amazing news! Steemconnect has really played a huge role in making people be able to trust the dapps that are built on top of the Steem blockchain, and I'm sure a lot of them would have many fewer users if it hadn't been for Steemconnect. I'm really looking forward to learning more about Steemconnect 3!
The next big thing to hit the blockchain, let's go!
Cool! Looking forward to seeing what this new version brings! SteemConnect is a wonderful project and very much needed. Good luck with your development!
I'm really happy to hear more about the security....I believe it is the most important part.
Subscribed to @steemscript
Really interesting to know more about SteemConnect 3 features/improvements :)
Way to go. Looking forward for the new features - anything that helps mass adoption is highly welcome
Excited about the new version of Steem Connect. All the dapp creators use Steemconnect and that is what everyone is trusting.
Posted using Partiko Android
Downvoted by @fabien 🤔🤔
Posted using Partiko Android
Hehe this was a miss click :)
Ha ha ha.. Okay. 😀
Posted using Partiko Android