Steemit's Security Values & How Steem Keychain Can Help
There have been a whole bunch of updates made to the Steem Keychain browser extension since it's initial launch three months ago, and I sincerely apologize for not having posted about them in all this time.
Most of you have hopefully already seen the updates in the extension anyway, so please show your appreciation to @stoodkev who is the primary developer responsible for it.
In any case, I promise I will post about all of the new and upcoming features soon, but first I wanted to talk about something in SteemIt, Inc's recently published Mission, Vision, and Values statement which you can read here: https://steemit.com/about.html
Under the "Security" section, which is one of the Values, it says the following (emphasis mine):
This principle has led us to preferred use of client-side signing for cryptocurrency use on steemit.com, which means all transactions are pushed by the user while Steemit, Inc. never has access to, nor sees the user’s private keys
This statement immediately jumped out at me because it is technically not true. Steemit.com, Steem Connect, and many other steem-based sites require you to enter your private key into a text field on the website to log in and use the site. This means that the site operator does have access to your private key. We just have to trust that they do not access it, and we have to trust that the servers hosting the website have not been compromised.
This is the exact reason that the Steem Keychain browser extension was created. It allows websites to request that the extension sign and broadcast transactions for them, so that the user never has to enter their private keys into the site directly. This means that even with a malicious site operator, or a compromised server, your keys are safe.
@eonwarped has generously donated his time to integrate the Steem Keychain extension into the condenser code that runs steemit.com and has submitted a pull request to merge that code into the main condenser code repository so that it can be put live on steemit.com. You can try out a version of condenser with Steem Keychain integration right now at https://cryptoempirebot.com which @eonwarped is hosting.
Many people that I speak to about the Steem platform, who are more familiar with using apps on other blockchain platforms such as Ethereum, balk at the concept of having to put your private key into a website, and cannot believe that's the way things are done here. It's great that we can now tell them that they can use the Steem Keychain extension instead, which alleviates their concerns, but unfortunately it is still not integrated into many Steem-based sites, including, and most importantly, steemit.com.
If Steemit, Inc really does value security, I would strongly urge them to work with us to get the pull request merged and add Steem Keychain support to steemit.com. If the community also agrees, @aggroed and I would appreciate your support by voicing your opinion to try to make this happen.
In the meantime, I would encourage all of you to check out https://steeve.app which is a fantastic front-end for the Steem blockchain and also includes full Steem Keychain support.
For those of you not familiar with the Steem Keychain extension, you can read about it in our introductory post, and download it for the Google Chrome or Brave web browsers here (Firefox and Opera support coming soon).