One thing that has bothered me since I started using Steem over a year ago, is that every single web app requires you to enter your private key into the website to use it.
The common response to that is that it's not a big deal because most sites only require your posting key, but I disagree. Sure you and I may know how to use our posting key but I'm guessing that a vast majority of Steem users just use their master password.
As a blockchain platform trying to cater more to the general public I don't think it's ok to put the burden of understanding the different keys and levels of security on the users. The tools and services should be built such that security is the default.
Additionally, most web apps built on Steem use Steem Connect, which requires you to put your active key into their website and then uses that to grant posting authority on your account to an account they control.
What I commonly hear regarding steemit.com or Steem Connect is that it's ok to put your active key into those sites because they are run by Steemit, Inc. Even if I were to fully trust Steemit, Inc not to purposely steal my keys, anyone can be hacked. If the servers hosting steemit.com or Steem Connect were hacked, I expect that thousands of keys would be stolen, and accounts would be emptied of liquid funds, within a very short period of time.
The last, and final option, is to use the Vessel desktop wallet software. This is actually a great option from a security standpoint, but from an ease of use standpoint it's not great, and I find it very unlikely that all but a small group of power users will use it.
So, for a long time I just accepted that that's the way Steem is, until one day when I actually used an Ethereum dApp. Despite it being slow and costing fees, I noticed that at no point did I have to enter my wallet private key into the website. The website simply called the Metamask browser extension to sign and broadcast the transactions for it.
Once I realized this, I couldn't understand why on earth there wasn't something like Metamask for Steem. Not only would it completely resolve the issue of having to put private keys into websites, but there's also so much more you could do with it on Steem than on Ethereum (seeing as Steem is specifically built for websites to interact with it).
At this point I was already knee deep in Steem Monsters, but I felt that this was an absolute necessity for the Steem platform so I talked about it with @aggroed. He agreed that this was an important project and wanted to help make it reality. Since I didn't have time to build it myself, we decided that Steem Monsters should fund its development.
So Aggroed and I got to work writing up specs for the extension, what features it should have, creating wireframe designs, etc. Then we got the amazing @nateaguila to do the graphics and UI design, and finally got Mr. Steem Plus himself, @stoodkev to do the bulk of the development.
Introducing the Steem Keychain Chrome Browser Extension
Finally, the Steem Keychain Chrome browser extension was born! I have been using it actively while it has been in development for the last couple of months, along with Aggroed and some other people we brought in to help test it, and I can say with some certainty that this will change the way you interact on the Steem blockchain.
Take a look at the following video to see what I mean:
Using the extension I was able to easily view info and make transactions from multiple accounts, and interact with the Steem Monsters web app without ever compromising any of my keys!
Currently Steem Monsters and Peak Monsters support the Steem Keychain extension, and Steem Peak is working on adding support as well. My hope is that one day all Steem-based sites, dare I say even steemit.com, will support the extension as well, and the days of putting keys into websites will be over.
The Steem Keychain extension currently includes the following features:
- Store an unlimited number of Steem account keys, encrypted with AES
- Easily view balances, transaction history, voting mana, and resource credits for all of your accounts
- Send STEEM and SBD transfers right from the extension
- Securely interact with Steem-based websites that have integrated with Steem Keychain
- Manage transaction confirmation preferences by account and by website
- Manage automatic lock settings to lock when the browser is closed, the device is locked, or after the browser is idle for a specified period of time
Website Integration Features
Websites can currently request the Steem Keychain extension to perform the following functions / broadcast operations (note that by default, users will have to confirm any transactions requested by a website, but they have the option to turn off the confirmations for specific operations and websites as desired):
- Send a handshake to make sure the extension is installed and running
- Decrypt a message encrypted by a Steem account private key (commonly used for "logging in")
- Post a comment (top level or reply) including a "comment_options" transaction for beneficiaries
- Broadcast a vote
- Broadcast a custom JSON operation
- Send a transfer
- Broadcast a delegation operation
New Features Coming Soon™
- Power up / down
- Manage delegations
- Manage witness votes
- Claim pending reward balances
- Support for Firefox and other browsers
Integrating with Steem Keychain
The code for the extension is all open source and available on Github here: https://github.com/MattyIce/steem-keychain
The readme contains instructions for Steem-based websites to integrate with the extension. If you need any help or have any questions / suggestions for integrating Steem Keychain into your site, please feel free to contact @yabapmatt or @stoodkev on Discord.
The Broader Mission
Beyond the standard work that witnesses are expected to do (which was brought into the forefront recently with the HF20 release), I think that each witness should have an overall goal, or mission, for the future of the Steem blockchain that they are primarily working towards.
For me, that mission is bringing more and varied apps to the Steem blockchain. I plan to go into this in more detail in my next witness update post, for which I am long overdue, but I am mentioning it here because I feel that the Steem Keychain extension is a critical component to that mission.
I am talking with some Ethereum app developers who are considering porting their apps to Steem, and they told me that almost all of their users use Metamask to interact with their apps and they were surprised to hear that Steem doesn't have something similar. Well now it does.
If you also support this mission, I ask that you consider voting for myself, @aggroed, and @stoodkev as Steem witness (and also support @nateaguila's posts as he is a talented and valuable contributor to this project and the Steem platform as a whole).
Please keep in mind that this is a first version of a brand new product. There will likely be some bugs or other issues that we didn't catch during testing. We welcome help and constructive feedback from the community to improve the product and work to achieve the stated goal of completely eliminating the need to put private keys into websites.
In case you missed it, here is the direct link to download and install the extension in Chrome: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm We would also appreciate you taking the time to rate the app in the Chrome web store to help increase its visibility in searches.
Be free and Steem on!