Hate putting private keys into websites? Introducing Steem Keychain!
One thing that has bothered me since I started using Steem over a year ago, is that every single web app requires you to enter your private key into the website to use it.
The common response to that is that it's not a big deal because most sites only require your posting key, but I disagree. Sure you and I may know how to use our posting key but I'm guessing that a vast majority of Steem users just use their master password.
As a blockchain platform trying to cater more to the general public I don't think it's ok to put the burden of understanding the different keys and levels of security on the users. The tools and services should be built such that security is the default.
Additionally, most web apps built on Steem use Steem Connect, which requires you to put your active key into their website and then uses that to grant posting authority on your account to an account they control.
What I commonly hear regarding steemit.com or Steem Connect is that it's ok to put your active key into those sites because they are run by Steemit, Inc. Even if I were to fully trust Steemit, Inc not to purposely steal my keys, anyone can be hacked. If the servers hosting steemit.com or Steem Connect were hacked, I expect that thousands of keys would be stolen, and accounts would be emptied of liquid funds, within a very short period of time.
The last, and final option, is to use the Vessel desktop wallet software. This is actually a great option from a security standpoint, but from an ease of use standpoint it's not great, and I find it very unlikely that all but a small group of power users will use it.
So, for a long time I just accepted that that's the way Steem is, until one day when I actually used an Ethereum dApp. Despite it being slow and costing fees, I noticed that at no point did I have to enter my wallet private key into the website. The website simply called the Metamask browser extension to sign and broadcast the transactions for it.
Once I realized this, I couldn't understand why on earth there wasn't something like Metamask for Steem. Not only would it completely resolve the issue of having to put private keys into websites, but there's also so much more you could do with it on Steem than on Ethereum (seeing as Steem is specifically built for websites to interact with it).
At this point I was already knee deep in Steem Monsters, but I felt that this was an absolute necessity for the Steem platform so I talked about it with @aggroed. He agreed that this was an important project and wanted to help make it reality. Since I didn't have time to build it myself, we decided that Steem Monsters should fund its development.
So Aggroed and I got to work writing up specs for the extension, what features it should have, creating wireframe designs, etc. Then we got the amazing @nateaguila to do the graphics and UI design, and finally got Mr. Steem Plus himself, @stoodkev to do the bulk of the development.
Introducing the Steem Keychain Chrome Browser Extension
Finally, the Steem Keychain Chrome browser extension was born! I have been using it actively while it has been in development for the last couple of months, along with Aggroed and some other people we brought in to help test it, and I can say with some certainty that this will change the way you interact on the Steem blockchain.
Take a look at the following video to see what I mean:
Using the extension I was able to easily view info and make transactions from multiple accounts, and interact with the Steem Monsters web app without ever compromising any of my keys!
Currently Steem Monsters and Peak Monsters support the Steem Keychain extension, and Steem Peak is working on adding support as well. My hope is that one day all Steem-based sites, dare I say even steemit.com, will support the extension as well, and the days of putting keys into websites will be over.
Current Features
The Steem Keychain extension currently includes the following features:
- Store an unlimited number of Steem account keys, encrypted with AES
- Easily view balances, transaction history, voting mana, and resource credits for all of your accounts
- Send STEEM and SBD transfers right from the extension
- Securely interact with Steem-based websites that have integrated with Steem Keychain
- Manage transaction confirmation preferences by account and by website
- Manage automatic lock settings to lock when the browser is closed, the device is locked, or after the browser is idle for a specified period of time
Website Integration Features
Websites can currently request the Steem Keychain extension to perform the following functions / broadcast operations (note that by default, users will have to confirm any transactions requested by a website, but they have the option to turn off the confirmations for specific operations and websites as desired):
- Send a handshake to make sure the extension is installed and running
- Decrypt a message encrypted by a Steem account private key (commonly used for "logging in")
- Post a comment (top level or reply) including a "comment_options" transaction for beneficiaries
- Broadcast a vote
- Broadcast a custom JSON operation
- Send a transfer
- Broadcast a delegation operation
New Features Coming Soon™
- Power up / down
- Manage delegations
- Manage witness votes
- Claim pending reward balances
- Support for Firefox and other browsers
Integrating with Steem Keychain
The code for the extension is all open source and available on Github here: https://github.com/MattyIce/steem-keychain
The readme contains instructions for Steem-based websites to integrate with the extension. If you need any help or have any questions / suggestions for integrating Steem Keychain into your site, please feel free to contact @yabapmatt or @stoodkev on Discord.
The Broader Mission
As you probably know, @aggroed, @stoodkev, and myself are Steem Witnesses. I can only speak for myself here, but I suspect that both @aggroed and @stoodkev have very similar thoughts and goals.
Beyond the standard work that witnesses are expected to do (which was brought into the forefront recently with the HF20 release), I think that each witness should have an overall goal, or mission, for the future of the Steem blockchain that they are primarily working towards.
For me, that mission is bringing more and varied apps to the Steem blockchain. I plan to go into this in more detail in my next witness update post, for which I am long overdue, but I am mentioning it here because I feel that the Steem Keychain extension is a critical component to that mission.
I am talking with some Ethereum app developers who are considering porting their apps to Steem, and they told me that almost all of their users use Metamask to interact with their apps and they were surprised to hear that Steem doesn't have something similar. Well now it does.
If you also support this mission, I ask that you consider voting for myself, @aggroed, and @stoodkev as Steem witness (and also support @nateaguila's posts as he is a talented and valuable contributor to this project and the Steem platform as a whole).
In Conclusion
Please keep in mind that this is a first version of a brand new product. There will likely be some bugs or other issues that we didn't catch during testing. We welcome help and constructive feedback from the community to improve the product and work to achieve the stated goal of completely eliminating the need to put private keys into websites.
In case you missed it, here is the direct link to download and install the extension in Chrome: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm We would also appreciate you taking the time to rate the app in the Chrome web store to help increase its visibility in searches.
Be free and Steem on!
@yabapmatt
Wow this is nothing short of revolutionary for the blockchain! Hopefully we see integration happen with a lot of sites!
Wow, who wouldn't wana try this out? Its an exciting introduction to the steemjet blochain to me and I bet that in no time a lot of people would embrace this.
As for the bugs, they should ve expected. But from the feed backs u would be getting from the users, you Wil be able to fix them all in no time.
Keep it up boss...
Man this is awesome and very much needed. I hate giving out my password. With all the security leaks across social network sites one can never be too careful.
Thanks for your teams hard work and its nice to see some of the profits of steem monsters going back into the steemit/steem ecosystem.
This is what I find so lovely about this. They earn and then make an effort to make the platform grow. Not like others that just line their pockets and isolate themselves in their little moneyhuts.
Posted using Partiko Android
Thanks for posting this. You have received a Preemptive Strike by one of our simulcasters, @johnspalding.
This post will be featured on our next LIVE broadcast. Typically we broadcast on Tuesdays at 9:30pm EST on the @vimm streaming platform. Check it out and come online if you are available.
I've been using metemask for eth for over a year... I'm applauding right now, this is just fantastic... I'm going to download this right now and maybe even write some thoughts on it too... Thank you Matt for busting your butt to make this blockchain a better place .. and thank you Aggy for your contributions
Posted using Partiko Android
I only use it for an airdrop.
Posted using Partiko Android
Amazing, this is just a passage to steem and every other dapps built on it. It is handful and a secure means to hide your passwords from countless number of website requesting for it.
Thanks to the team on this.
Resteemed!
Excellent. hardworking for the benefits of community. really an excellent group. thank you all.
Great work yabapmatt and Stoodkev. I'd love to implement this in some way with our DTUBE uploader.
Can't wait for this to come to firefox
Excellent job @aggroed, @yabapmatt and @stoodkev! Installed it and it looks good.
I've been using it for a month now, and it's made the experience so much more streamlined and enjoyable. The extra peace of mind is incredible too.
Huge shoutout to the devs on this. Highly recommend.
Can you use this with Steemit already? And Busy?
Posted using Partiko Android
No, not yet, but I know a lot of dapps will be interested. Peakmonsters and Steemmonsters are the only ones I know of so far.
I have been using keychain for the past couple days and it is awesome
We look forward to implementing keychain on https://steempeak.com we are big believers in it.
PEAKMONSTERS USAGE
Our partner site https://peakmonsters.com has already been using Keychain for over a month now and it's been a raging success. Specially with people who buy cards frequently it makes it much easier and we believe much safer. (unless you often walk away from your laptop in public places)
I just reviewed @steempeak in detail and really loved it. Someone really put a lot of effort in this project but it still seems undervalued. It would be really nice addition if you add this keychain on it and thus give users almost a perfect experience. Good luck!
Love hearing that!
I want all projects to use this key chain!
Posted using Partiko Android
GREATTTTTTTT, Nice. Thanks
Steempeak is really becoming the most dynamic STEEM UI out there, power on!
@jongolson, if you catch this, please consider mentioning Steempeak in a Savvy if you haven't already (I have not unlocked all videos yet -- which is another issue for testing, but more on that later).
for sure. it’s planned absolutely. i just don’t have a working knowledge of it yet. but will be diving in much more. thanks for the recommendation
Posted using Partiko iOS
Why Steem UI? I can't use normal Steem from there. Though the cards are based on Steem. 🤔
Posted using Partiko Android
Ah, perhaps you're confusing peakmonsters.com with steempeak.com itself? Steempeak is used for blogging. The most dynamic STEEM UI "for blogging" is what I should have said :)
great news!
I always thought that Steempeak was an alternate frontend for Steem monsters. Do they have different origins or are they branches of the same thing?
Posted using Partiko Android
https://steempeak.com = an interface/frontend for steem.
https://peakmonsters.com = A bulk Market for SteemMonsters with some other data insights
Wow, thats amazing, can't wait to use it! =)
This is one of these things that you never think about and then don't want to miss it as soon as you start using it. Awesome work!
Exactlyyy, that's how I feel. I didn't know I needed it until I saw this post. So cool.
Posted using Partiko Android
Wow great idea, Thank You for sharing this to us!
This sounds fantastic. I will surely install the extension and use it. Am sure it would be pretty secure.
Posted using Partiko Android
This is awesome! Thanks for adding value to the STEEM blockchain and better security for my money. I will start using this immediately.
Freakin Sweet dude!! Nice, clean and navigatable GUI. Shucks Yeah!
You be steady producind killer tools and utilities.
Thank you for your time.
This is truly amazing and great step towards better UX. SteemConnect v2 was already much better than SCv1, but your Chrome extension is a whole new dimension!
Thank you!
To listen to the audio version of this article click on the play image.
Brought to you by @tts. If you find it useful please consider upvoting this reply.
This is rad, Matt. Keep up the awesome work!
Wow, this is incredible. You may or may not believe this, but I was looking for a better solution for entering keys just yesterday, it's almost like you read my mind! But as you said, it's a common concern for everyone!
I'm not sure if this is possible as I'm not the best at technology lol, but would there be a way to integrate a maximum amount for transfers per day given the key that you entered? I'm not sure if that's something that has to be integrated on the private key level or not, but it would be cool if you could set some sort of limit in case of unwanted use/access.
Thank you for doing this!
For someone who's not the best at technology, you can sure build a team.
haha! Yeah, I've spent hours and hours playing SM and studying the abilities and playing matches to figure that stuff out!!! Thanks ;)
Hi, I wrote a post a week or so ago on how losing between 0-100% of curation rewards to the pool when you upvote a comment within the 15 minute window is an annoyance if you want to upvote comments in a live comment thread. Very often, I write something and get a reply back almost immediately (or in a time much, much shorter than 15 minutes). I'm big on monetizing engagement. But under the current rules, my upvoting immediately means my rewards go back to the pool instead of my conversation partner. That sucks but is easily remedied with 15 minute or so delay in broadcasting upvotes on a comment. Too often I forget to come back to upvote comments in conversations that I've had. It's also annoying to to have to wait and go back to a conversation to upvote. It's even more annoying to effectively lose part of your SP by upvoting immediately.
If websites are to integrate the Steem Keychain in such a way as to have it not only sign transactions but broadcast them on their behalf, I wonder if it would be a good idea to implement an optional 15-minute delay on Steem Keychain?
Wow so immediately upvoting a comment is essentially nothing but a waste of voting power?
Seems like a great UI feature would then be to have a time slider on the upvote menu in addition to the power slider. Therefore, I could upvote at 55% power in 13 minutes.
It's a waste of curation rewards. Let's say you exchange comments with someone and upvote each other's comments immediately. Before HF20, neither of you would get curation rewards for the comments because the author (your conversation partner) would get them. Now the curation rewards go back to the pool. Neither you nor your conversation partner get any curation rewards. Easily fixed with no hardfork by delaying the broadcasting of the upvote by 15 minutes, in which case the upvoter gets all the curation rewards.
Seems strange to implement that, dunno why you want people to burn things for voting too early. Is this explained somewhere?
Posted using Partiko Android
Before HF20, many authors would upvote their own posts immediately in order to minimize the curators' cut. Now that curation rewards from early upvoting go back to the pool instead of the author, immediate self-upvoting has become a loss-making strategy.
Posted using Partiko Android
Hmm, I now vote at 12min because most of the votes start coming at 13min. Am I breaking something? 😭
Posted using Partiko Android
You're doing the right thing by frontrunning at 12 min if what you're frontrunning is big.
Posted using Partiko Android
It's only the curation reward portion that gets burned (max 25% of the vote value if the vote is immediate). The other 75% still goes to the author as intended.
Will we be able to do custom transactions directly from the extension? I want do operations without middlemen. Steem-plus takes 5% mandatory beneficiaries if you launch beneficiaries from their extension. I want to create a more flexible tool but if you're doing it in your extension I can calm down about that.
Posted using Partiko Android
Matt this is awesome! You all did a terrific job and I love how you identified a problem and found a solution (especially when it comes to making it easier for the less complex people like me)... That is the kind of mind we need to add to all problems here on Steemit, and its exactly why I vote for you as a witness. You care about our experience and it shows in everything you do!!!
Really great work here @yabapmatt. Thank you
Finally publicly released :)
That's an awesome tool guys!
I can see in the source code that the tool is tied to https://api.steemit.com, are you guys planning on adding a way to plug it into the testnets and more generally to the other full nodes? (like metamask, a simple dropdown list)
Ah yes, I totally forgot to add that in the list of future features. Definitely want to allow users to choose the node it connects to. Also want to add support for additional tokens and sidechains which i've heard some awesome developers are working on :-P
Awesome :)
Do you think they hold our keys on their servers without any encryption? That would actually be kind of sad.
Best Regards,
Mysteor Team
No they absolutely do not keep the keys on their servers at all (or they shouldn't). All operations are signed in the browser, however that does not mean there are no ways that the keys could be stolen if the servers hosting the site were hacked.
You got a 86.17% upvote from @postpromoter courtesy of @steemmonsters!
Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!
It is really risky to share your posting key.Is there any other way @yabapmatt to avoid it from sharing?
Another day, another fantastic development here. :) This makes life so much easier.
Thank you for your work on this and I sure appreciate that it offers a faster and simpler option. I'm not technical, so I don't understand a lot of these things, but my understanding is that browser extensions are not really that secure either. I've always been told it is kind of sketchy to use your password with an extension. Am I wrong there?
This is an important conversation so thank you for bringing it up. As far as I know the security concerns around browser extensions primarily come from fake extensions being listed in the stores that impersonate real ones to steal keys. As long as you are careful to only install and use the legitimate version at the link i shared above there should be no security concern.
I think the fact that Metamask has been widely used for storing Ethereum private keys for a long time now shows that browser extensions can be a secure and user-friendly way to transact on blockchains, and we have built Steem Keychain to work as similarly to Metamask as possible.
With extensions you are placing a large amount of trust in the developer and the codebase. For example, the extension requires permission to:
Hence, a malicious developer could not only steal your Steem credentials but possibly even other types of personal content.
I happen to know @yabapmatt is not malicious. However, there is still the possibility that his account gets hacked and a malicious version of the extension is released to the Chrome store. I'm not sure how common this type of attack is and what sort of screening extensions undergo to prevent this.
So in summary, browser extensions can be secure, as if implemented properly they perform all sensitive tasks client-side, which is good, but also can easily leak sensitive data should they be poorly engineered or created/hijacked by an attacker. Please add to my understanding if it's incomplete.
All good, valid points. There's really no situation where it's completely impossible for keys to ever get stolen. I will say that the extension purposely never stores the owner key or master password for accounts, so if there were to ever be a hack, while that would certainly be bad as active keys and liquid funds could be stolen, it's a much easier situation to recover from since you can just change your keys and not have to go through the account recovery process.
I believe this is still more secure than the system being used now where if any of the sites into which people are putting their keys are hacked, many master passwords will be stolen.
Much more secure indeed in this era of middlemen. I just wish browsers had a much heavier emphasis on security in order to facilitate these tasks with the biggest convenience:security ratio.
Posted using Partiko Android
You have a ability to download the extension to your harddrive and tell Chrome to load it locally. Your copy of the extension would then be updated only when you update the code manually
And how do you download the extension to local HD?
Hi @haejin
The following instructions have been written for a Mac computer, but for a Windows computer, it's very similar:
Documents/steem-keychain-master
chrome://extensions
Documents
steem-keychain-master
To upgrade you will have to download and unzip again and overwrite the files on your local harddrive then go back to
chrome://extensions
and click the circular arrow icon to reload the extension. Verify its version number to confirm the upgrade.This is what Chrome extension developers do to test their extensions before uploading it to the Chrome Web Store.
Thanks! Very helpful!
Would an upgrade wipe out prior entered keys?
If one had used steemconnect or entered keys via cop paste in the past, should new keys be generated for the Key Chain; in the event steemconnect or steemit inc. get hacked?
An upgrade should not wipe the entered keys if you don’t remove the extension prior to the upgrade.
I have not checked how the extension stores the keys but beware when you clear the browser’s cache as it might also clear the keys depending on the cache clearing options you checked.After checking the extension and testing on another computer, it seems that clearing cache does not clear your keys from the extension, to remove all store keys, you would need to remove the extension itself.To my knowledge, SteemConnect (from v2) does not store your private keys, it uses you active key to grant posting authority to the dapps that was using SteemConnect. The key is not needed later on when posting or upvoting. The private key is still requested for each transfer or settings request. Utopian got hacked in the past, the hacker could not retrieve the keys because there was nothing to retrieve, they could only use the SteemConnect token to perform the upvotes. If SteemConnect get hacked, just revoke your tokens.
However, if you want to be 100% you have not leaked your keys somehow then yes, go regenerate them. I still recommend you kept your owner key somewhere else safe.
Posted using Partiko iOS
Do you know which option that is, so that I can look out for it if I decide to update or erase cache?
Posted using Partiko Android
I've updated my comment above, but it seems that clearing cache didn't remove the keys but removing the extension from Chrome does.
Thanks for the detailed explanation Q. I'll look into it and follow your instructions. 👍
You're welcome :-)
Do you develop chrome extensions?
Posted using Partiko Android
I do occasionally
I wanna :D
SoonTM
You are completely right. The safest way is compiling the extension yourself as has been explained elsewhere on this thread.
Posted using Partiko Android
Will it also be used for SMTs like metamask allows for erc20 tokens?
Posted using Partiko Android
Absolutely!
Same worries for me, i wonder if other extensions can see what you are doing if you granted them permissions like "Read all actions, websites, etc.."
Posted using Partiko Android
They definitely can. That's why you have to limit your extension usage and use only trusted and essential ones.
Posted using Partiko Android
The risk exists, indeed, no matter how small. Safest is to make an effort with your own security measures, but this extension sure is more secure than most things we normally use and makes it mal very easy and convenient.
Posted using Partiko Android
What you say is so true! I had been using Steem for many months before realising that I shouldn't be using my master key! And I'm quite tech savvy and pretty careful about internet security!
This is a crucial development not just for Steem but for the cryptocosm in general (see George Gilder's Life After Google)
Steem has an excellent key heirarchy of posting, active and master keys but they weren't being used properly by most users.
Please add a Brave plugin ASAP.
It's the fault of the frontends. They promote this behaviour. The focus needs to be changed and they need to forbid master passwords and require active keys.
Posted using Partiko Android
Awesome stuff, love the UI :) @vimm take note!! Colors!
2 thumbs up yaba daba dooooo
@yabapmatt
Wow great job! Keep it up! Do you have plans to develop something like this suitable for mobile devices?
Posted using Partiko Android
Maybe we need some instruction on how to download for the non-technical steemians.
Open Chrome
Click this link: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm
click install
Shows up as a little keychain icon in the top right. Click the icon to use it.
It will ask for master password to get your other keys but doesn't store the master password.
Thank you very much.
This will be of a great help to many steemians.
I don't trust Google stuff. Is there a way of using it on Tor browser?
I remember you and aggroed mentioning the wallet months ago on the msp show. Glad to see it has been tested and ready for use! Only downside for me, now I have to use Chrome 😕 .
Thank you (and team) for this awesome feature. The few seconds spent looking for passwords can now be better utilized battling. ;) In all seriousness, you've spent an incredible amount of time developing and in this case, writing out the specs for Steem Keychain.
Having spent countless hours reading and writing simple technical specs myself at work, I can attest that it takes considerable time to write down all the details so others would be able to understand. So thank you for gathering the methodology so it can be coded into this finished product.
You can also use Chromium, which is completely open source. Chrome contains some proprietary add-ons, but nothing I've found that I actually use.
Issue is more laziness with having to re-bookmark and install ad blocker, etc. :)
I should be moving over to chrome or chromium anyway since my GTM web sessions never want to work on firefox. Steem Keychain is a good reason to take that step. Thanks @dhimmel! I'll take a look at Chromium.
What is gtm?
Posted using Partiko Android
oh, the GoToMeeting online software. We use it for conference calls and screen sharing, but it doesn't want to connect on my firefox when I work from home. It's fine with chrome though, so all the more reasons to switch.
Is it better than Skype and Discord or is it just used because of corporate convention?
The corps I've been with use GTM and WebEx for online meetings. It's convenient for sharing your screen with others, especially for a training or tutorial session.
Discord and Skype is more catered for social media; DM, voice chats, video chat, but I don't think it supports screen sharing. Some companies use skype internally to communicate with each other, but when it's a conference call with third-parties, I mainly see GTM or WebEx being used.
(They both support screen sharing)
Seems like these are apps specifically designed for corporate use and I assume they're easy enough to use for the average user to approach. I imagine that this is tied to dedicated IT services and other corporate support that makes them attractive. I'd have to test them to see if they're better. Skype was particularly heavy. I've seen easier, faster and more effective screen-sharing software. I haven't tried Discord's but I read somewhere that it does have this functionality.
Huh, did not know that about the screen sharing. Never used skype and discord for anything else other than social media.
It is more for corporate use because it does cost to use them. I believe licenses have to be purchase for use. I've only used them at work. Oh, maybe webex a few times back in college for projects, but the privileges were given by the school then too.
Way back in the days when it cost money for long distance calls --the clients I worked with liked having the toll free number to dial-in. I think it's just corporate norm to use one of these now. It's reliable. Clients are not always the most patient bunch.
Exactly! That has been my experience with corporate software, too. I used free versions and all at first until I started being a tiiiny bit late for a few deadlines and not quite being able to do some things.
It would have been alright for me as a normal user but clients don't change their minds. They don't want to install new things or be flexible. They just want things done quickly in what they believe is the best way. So I just had to adapt and use the corporate licensed software and it always worked right for me and I delivered the best for the clients.
(I'm talking about MemoQ and professional translations.)
edit: Though, sometimes, there can be better software. In our case, MemoQ was particularly great, but it was an old-timer. The industry standard was another one, I can't recall its name, but our clients were already accustomed and it was absolutely impossible to change the software we used.
Same goes for messaging. Slack would have been better but we used Skype because ¯\_(ツ)_/¯. When people are accustomed to things, and it gives you money, you just do exactly that and earn your monthly allocation of goodies.
Will this work with the Brave browser? I think that's the one we should all be using eventually
I concur.
I occur.
Posted using Partiko Android
Apparently in the current version of Brave installing Chrome extensions is a bit wonky but this should improve with the upcoming Brave 1.0 release. More info in this Reddit post.
If you use adapters you have to trust the adapter too, not only the original application. If it's independent, sometimes cross platform opens the doors to vulnerabilities. You should be careful and use things in their intended environments unless you understand the technicalities of each change.
Posted using Partiko Android
Why do you think we'll have to use that browser in the future?
Posted using Partiko Android
We won't have to use it but I'd rather use a browser that can reward content producers and pays me for use of my data.
Posted using Partiko Android
Hmmmm. I haven't seen a reason to switch. Is Chromium any better in any respect? It still requires a Google account to sync and things like that, so it's still very dependent on proprietary services.
Posted using Partiko Android
I switched to Chrome a while ago and I really like it. The hardest part wasn't my bookmarks because they synced. It was getting accustomed to things being in different places and behaving in unexpected ways. But now I'm accustomed so everything is fine.
I love that memory in use is better compartmentalised, so if you close a tab, you recover the ram allocated to it. Firefox is much more wasteful with your resources.
Posted using Partiko Android
I used both Chrome and Firefox years ago but can't remember why I stuck with firefox. Thanks for the input. I haven't had a chance to move over yet but it is on my list!
I've always been switching because both are really great! I preferred Firefox a few months ago because it was much lighter than Chrome, but then it started being slower, so I switched to the then-faster Chrome, and now it's the inverse. I don't know. Software is crazy sometimes.
I think that was likely my reasoning too. I remember it was chrome that was faster, then it became mozilla. Now who knows; I don't have the time to surf as I used to before. Definitely crazy softwares!
Great job guys, congrats.
Hey, guys, it's really cool that you developed this extension. So far I've always stored everything as a custom text field in my password store, but it never worked that way.
However, it would be very cool if you could release it as your own Firefox extension. There is Chrome Store Foxified, but I don't trust it that much.
Thxalot,
JanSe
I'm also curious to know if the extension will be available on Firefox as well?
Great dev and contributions though, thank you @yabapmatt, @aggroed, @stoodkev and @nateaguila, fantastic work!
Cheers
I'm sure it will come but much later.
Posted using Partiko Android
Aaaaaa I always do the same! I open a Keepass document and the custom description has my posting and active and memo and owner keys.
Posted using Partiko Android
Yabapmatt, for sure 100% fantastic but i have a fear with these extensions. Is there any possibility that another extension can see what you are doing? Some of them are granted "Read all actions, websites, etc.?". As a developper, can you tell us it is 100% safe?
Posted using Partiko Android
This is actually yet another reason why using an extension to store your keys is better than putting them into websites. As far as I know extensions cannot access any data stored by other extensions, but they can access data on websites, as you pointed out. So if you copy/paste your key into a website like steemit.com or Steem Connect, then a malicious extension could steal it, but a malicious extension cannot steal it from the Steem Keychain extension.
I get it, so true! Gratefull thanks for replying. We still have to be carefull off course, another extension could do phishing, mimic same behaviour and one step up in the OS hierarchy, any process can read all our keystrokes but yes, it is better than anyhing we have now and difficult to do better, thumbs up @yabapmatt, thanks, thanks, thanks!
Posted using Partiko Android
Yes, phishing is always the biggest problem, so you must always be very careful about that!
Great addition. Still. I trust my savings wallet more then anything. 😀 goes and hides more stuff there
@yabapmatt, Really appreciated and i agree with your point where you said most of the people are using the Master Key, and in my case I've also used Master Key for six months after joining. So Safety Of Keys are vital because we are Managers of our account for sure. And now great to see that you'll put your efforts and came up with this awesome Extension Tool called Key chain. Wish that everyone will going to find it productive and in the Tutorial it's really proving what it's meant for. Keep up the great work.
Wishing you an great day and stay blessed. 🙂
Nice job Matt! Good to see it finally go live!
Posted using Partiko iOS
Great tool man! I have had the same exact feelings about having to enter my key into these other tools. Thanks!
What an amazing extension!
I hope that most of the dapps of the Steemblockchain integrate it.
Steem is really lucky to have people like you on board!
:)
What about Firefox browser?
I mentioned in the new features section that we plan to add support for Firefox in the future. Will try to get that done asap!
This is a great tool indeed!
Great tool. Hope it will serve its purpose.
Halp sir, wen firefox?
Ask @stoodkev :-P
When moon
Posted using Partiko Android
Great work and very highly needed Web Application for Steem. Do you think that this also will work for the Brave Browser?
Please make it also compatible for the Brave Browser that would be amazing!!!
Amazing, was waiting for the day when STEEM would have a browser extension wallet similar to ETH...bravo guys!
Appreciate you work. Thanks for your effort!
Wow this is so amazing. Cos I dread to give out active key or master pass. Gonna look into this more.
Posted using Partiko Android
Wow this is so amazing. Cos I dread to give out active key or master pass. Gonna look into this more.
Posted using Partiko Android
Hoping this project to yield good results.
Fantastic!
TIMM wants this.
Are there plans for a desktop app? Work with less invasive browsers?
Finally, someone came up with a solution that is actually a BIG relief! @yabapmatt, You're awesome!
Damn, this is some well needed innovation! Thanx for helping secure things for Steemians!
Great work, and great work gets voted for!
How do you do great work to get votes? Can I do work and say its great in the title and it becomes great?
Posted using Partiko Android
Your post had been curated by the @buildawhale team and mentioned here:
https://steemit.com/curation/@buildawhale/buildawhale-curation-digest-10-18-18
Keep up the good work and original content, everyone appreciates it!
How would this work with iphone/android apps?
Very Great Job. I will looking forward to.
I will look forward to too.
Posted using Partiko Android
😎💪🏼🙌🏼
Absolutely brilliant work, again, Matt!
Posted using Partiko Android
helal sana dostun kesınlıkle muazzam bir çüzümleme
This is great! I'm going to work on making my dApp project compatible with this. Way to go. You have reinforced my confidence in you as a witness.
Have you plans to introduce this extension for other browsers?
Opera Firefox?
That's great.
Next step would be hardware steem keystores I believe.
Well I learned a few things here:
Every day's a school day.
Haha every app is a 3rd party app. Steemit is a 3rd party app. :D
Blockchain isn't easy.
This is a fabulous idea! I hope there are plans for the Opera and Firefox browsers, too!
thank you for your hard work in trying to make the experience more convenient and safer for the user 👍 looks great
This could change everything! So glad someone's working on this! I look forward to the progress!
@bitsy :)
Brave browser extension cannot come soon enough
This is a massively useful new tool and shall replace any centralized password manager one might still use to handle Steem keys. Thank you for bringing so much development forward to the Steem blockchain. It is incredible what you guys pull off. Looking forward to your witness update!
I hope that the Brave Browser will include your extension. As it is build on Chrome it should already be entirely compatible and can be hacked into the browser by replacing one of the default extension folders.
wow, really cool. Great job, love it! ;) huge step for steem! :)
Must have extension! Do you have any plan to build the same extension on Firefox? Thank you for your efforts
Very good! The concept is sound and I like the colours :)
Would there be a way to auto populate the plugin data after account registration? This would make it really easy for normies to get plugged into the steem blockchain without even touching a key lol. Just show them a page to print their keys.
That is a fantastic idea!
😉
Awesome, though this might worry some people about the safety of their usage because they will see that websites and extensions are not isolated but can take from each other without explicit authorisation.
Posted using Partiko Android
What kind of things do you invent, Mr inventor?
Posted using Partiko Android
Sir, Is it safe to hold Steem in the form of SBD in our steemit accounts
this extension will help users in many way and for you i believe theire will.be no issue with the security . How much i work i know enough that you are 100 percent trusty.the only thing the user should be careful to install the real version and the one you shared here . Thanks
sounds great. I had another method of typing in the private keys, but if it works, this would be perfect.
How long has it been out for?
Well done!
I heard of this extensions few weeks ago but didn’t get to try it out until today.
It works nicely and I’ve already integrated it with @smartvote dApp. It’s currently on our test environment and will be released to https://smartvoteservices.com when ready. It will perform posts, upvotes, delegations and transfers via Steem Keychain when installed and fallback to SteemConnect otherwise. A next step would be to let the user know they can install Steem Keychain for more security.
Thanks for making this Extension for the community
Dope
Hi @yabapmatt!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 8.134 which ranks you at #26 across all Steem accounts.
Your rank has not changed in the last three days.
In our last Algorithmic Curation Round, consisting of 329 contributions, your post is ranked at #1. Congratulations!
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server
So, would you recommend generating new passes since steem-connect and steemit Inc. server hold our keys on their servers? Thus generating new passes would allow greater safety since even if steem connect and steemit inc get hacked, it wouldn't matter. Thus making the keychain more effective.
Also, does send work with #privacy send?
Definitely, but where will you post from? Steem and Busy haven't implemented this extension yet. When you find a place to post from and do operations from that accepts the plugin, then reset the passwords.
Posted using Partiko Android
I believe they will be implenting the key integration soon.
It would make sense, but at least Steemit isn't known for quick adjustments. However, since they're open source, I would as well expect for people to propose the changes by themselves. Do you have information regarding the current development status?
I think @yabapmatt has the most details on such updates. If you follow him or @aggroed, his partner; news of new updates should be coming out.
I'm pretty sure that they do not store keys and only give a specific account a authentification to post under your name, even if they get hacked, nothing should happen, if you remove authentificated accounts. Of course, if hacked, it could be used to phish newly entered keys.
Yes, that's what I thought. Thanks for the confirm.
Great, will this work for Chrome on Mac OsX as well?
Why are you not using @utopian-io if it is Open Source? :)
This has been so needed for so long! We need to make this simple for new users, so they can join steemit and have a safe journey!!
Good job, resteemed!!!
this is so useful. much easier. thanks for this mate.
I need to learn how to make money on here people i could start posting alot more often???
This would be very useful, I ideally I save my passwords into my browsers such as Safari, I but I can see why this would be thoroughly useful, because it also acts as a wallet.
Posted using Partiko iOS
Really great work here @yabapmatt. Thank you
Posted using Partiko Android
Just watch my articles new here no need of any likes or comments just see them to make millionaire mind set
My I suggest a feature?
Maybe Steem Keychain or Steem Plus could inject a JS code in Steemit.com condenser and when someone clicks on a steemconnect link, it would parse the link to extract parameters and trigger a call to Steem Keychain instead.
Great tool, resteemed :-)
I resteemed your comment 🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️😜😜😜😜😜😜🚷🚫🚸⛔🛄🛅
Posted using Partiko Android
It's not possible to resteem comments :-)
OMGGGG I thought it was obvious I was making a joke. I wouldn't expect anyone to believe that. Such a big vote wasted in vain :(
Posted using Partiko Android
Flag removed, was a joke :-)
I mean, for real, a 50000 SP flag because you didn't like my bad joke 😓😓😓😓😓😓😓😓😓
Posted using Partiko Android
Thanks for the contribution you make. The information is of great interest.
Awesome!
Posted using Partiko Android
Great work! This was really needed, very user friendly and nice UI
thanks for sharing @yabapmatt! downloaded and installed.. walking through it now :)
Thanks for the good instructions. You opened for me "Keychain".
Congratulations @yabapmatt!
Your post was mentioned in the Steemit Hit Parade in the following categories:
You've made the Steemit Minute for today! Congrats!
Check out the Video Here: https://steemit.com/news/@reseller/ugj8oggd
Three cheers to the author for the dedicated effort, this is kind of a savior to the steemians to get more secured on the web.It would be great if there is an option for a widget or a plugin to make it more user-friendly.
It seems like a handy tool. I'll follow you to keep an eye on what is new with Key Chain.
Fantastic! We are lucky to have you!
This is a nice idea and good implementation. It's even asthetically pleasing.
The only thing I worry about with applications like this, is it requires me to trust you (not that I don't). At any time you could release an update and acquire people's keys could you not? You state your issue with that concept with regards to steemconnect etc, and it's a legit gripe. Keeping the keys local, and accessing through the browser is better, but does it really solve the trust issue?
Well if you are concerned about that (which is a legitimate concern) you can always download the extension code from the Github repo and just install it locally rather than getting it from the chrome web store. That is definitely not an option with Steem Connect!
Touche!
Distrust is the building block of society.
Posted using Partiko Android
It certainly inspires progress
Seems like password restriction will make people forget their password unless they write it down.
Thisssssssss, I logged in just to agree. I use passphrases and more memorable passwords! I don't need upper case or special characters when I have a 30 character long passphrase.
Posted using Partiko Android
hello @transisto can you please tell me why are you boosting this shit with a big amount? https://steemit.com/funny/@steem.lol/elizabeth-pokahontas-warren
Türk yokmu burlarda yav
Excellent article, I never thought that there was another way to work with these keys. It is an excellent idea and a great post. Congratulations and many successes.
It's my understanding that SteemConnect is just as trustworthy as your keychain. The point of it being a website is that it's accessible across all devices and operating systems. My understanding of SteemConnect is that they never see your private key. They use your key to create a permission token on your device.
And what happens if the contract is meant to steal your money? We can't really vet any of those transactions that pop up for legitimacy. We just trust that they do what the website told us they would do.
When it really comes down to it one has to trust the code. We expect that if the code is malicious a white hat will whistle-blow on it.
I would really love to be corrected about SteemConnect or why this service provides more security. In the link above I concluded that a browser extension would be a great way to provide the illusion of security...
However, why did you make your own product when you could have just extended SteemConnect into a browser extension? It's all open-source.
It is true that SteemConnect never sees your key as it is currently built, but since you are entering your key into a site served by them, they have access to see your key and could see it if, say, someone hacked their server and modified it to do that, or if a malicious site posed as steem connect in a phishing attempt. With the browser extension websites will never get access to your keys in any way, so even if you visit a malicious site or a legitimate site gets hacked, they will never be able to get your keys.
That's the difference. It's not perfect, and it doesn't mean that you don't still need to be careful with your keys and what transactions you sign. But in my opinion it is a significant improvement over SteemConnect when using a browser that supports it (only Chrome and Brave right now but more to come).
As far as extending SteemConnect to an extension, that's not as simple as you have made it sound. They are very different products built to do very different things. I believe it was the right call to build this extension from scratch to do what we wanted it to do rather than try to modify SC to do something it wasn't built for.
Thanks for explaining it to me! It's nice to see someone literally introduce a solution to the problem at the same time that I brought it up... lol. Nice work!
Minnowbooster.net will support Steem Keychain very soon TM!
Do. You represent minnowbooster?
Posted using Partiko Android
Yes I do represent Minnowbooster.
Thanks for sharing this new topic about Google chrome extension because it's very easy to do many transition by using one browser and also do other work.it also highly secure and easy to use thanks for this sir.
http://t.me/btc_ticket_bot?start=538959402
thank you, really good effort. Hopefully the other dapp steem will immediately apply.
I used this on chrome and it works well. Hope we have Firefox and Brave browser versions soon
Posted using Partiko Android
Oh I can't wait to read more about this.. yes this is something I have wondered about myself. Thanks to the community and take you to the developers! 😁
Posted using Partiko Android
와우, 우리와 젊은이들이이 글쓰기와 같은 정교한 발명품을 사용하는 것은 매우 흥미 롭습니다.
Wow, this is very interesting for us and young people to use sophisticated inventions like this writing.
This is great!, any plan on creating one for other explorers like firefox or opera?
Hello Steemains Join Our Contest . Read Post to Participate .
https://steemit.com/steem/@wattoowhale/10-steem-dollar-sponsored-upvoting-contest
This is looking pretty nice!
To my knowledge, SteemConnect (from v2) does not store your private keys, it uses you active key to grant posting authority to the dapps that was using SteemConnect. The key is not needed later on when posting or upvoting. The private key is still requested for each transfer or settings request. Utopian got hacked in the past, the hacker could not retrieve the keys because there was nothing to retrieve, they could only use the Thank you for your work on this and I sure appreciate that it offers a faster and simpler option. I'm not technical, so I don't understand a lot of these things, but my understanding is that browser extensions are not really that secure either. I've always been told it is kind of sketchy to use your password with an extension. Am I wrong there?
is really nice. it should it make more secure and save from copy + paste fails. It should for most people really usefull.
( btw its nice for steem Monsters :)
Really good work.
This sounds like an absolutely incredible idea. Thank you for sharing it. I know several people who aren't very confident with Steemconnect and other things. And it was a hassle to keep having to post either private key or active key when I wanted to do different things.
Great initiative!
Waiting for a day when you declare that you have revoked your authority to SteemConnect. May this extension be used everywhere!
For Metamask, it's available for multiple browsers ...including Brave. Hope this one too follow that!
Nice work, but i would like to use my password. if i have to remember another obscure one, its a :( for me
Perhaps in future releases?
Any chance this can be incorporated into Brave?
Nice work. I am ready through the code and try to do a security (specially the cryptography) audit. I already have some suggestions.
Very useful project in good design! - Hier gibt es eine deutsche Übersetzung: https://steemit.com/deutsch/@zeitspringer/metamask-fuer-steem-wie-verwalte-ich-meine-steem-wallet
Wow @yabapmatt @aggroed @stoodkev @nateaguila
You all are absolutely amazing. This is incredible work you are doing and all for the benefit of the Steemit community. I am absolutely amazed at how hard all of you work to make this platform great. Super stoked to be part of such an incredible community. Keep up the wonderful work!
Now that IS a very handy extension!!! Thanks for that!
Hi, yabapmatt. Here to see a man about a password.
Thank you for writing this @yabamatt. Just received a link to it early this evening.
Is there any possibility you and your team would consider putting the time into making an extension like this for the Brave browser? I personally do my best to stay away from Google and Chrome, as much as possible.
If you are not familiar with the Brave browser, I would encourage you to check it out. It seems a much truer development path to take, when considering what we are all hoping the crypto asset class will become. I place a high value on protecting my privacy and Brave does that very effectively. Plus, it has built in support for the BAT token, which has being doing well of late …
Thanks for your time and consideration!
Very awesome and useful! Upvoted!!
Thanks, this is a clear and obvious evolution. I hope it catches on. (Shameless plug) This is what I wanted for https://github.com/NateBrune/Steem-Wallet but never did it. Congrats my man I hope you keep updating this! :)
Nice! I'm in the middle of developing something that would require repid transaction fire and Steemconnect just wont allow it instead of redirecting the operation to another page every time. This is what we need!
Any chance it can be checked to work with Firefox. In this mobile first era that would be a massive step forward since many people, especially in development nations, don't have a desktop anymore.
Posted using Steeve
Looks like a great idea. I just added it to chrome and will be testing it out. I would love it if we could get our keys saved on a device like a hardware wallet like a Trezor (that is what I have) or a Ledger wallet. Hope this might be the next evolution
How different is this from Lastpass or 1Password ?
Good to know, that's the only way I could even consider installing this.
It's a good idea by the way, make me think in the potential Steem still has for the future.
A little late to the party, but I really appreciate this tool. Hopefully the other browsers will be supported soon! Relegating folks to Chrome is understandable, but still a bummer.
How about making it a desktop app like Scatter has done? Better yet, get with Nathan James and integrate them somehow?
I've supported @aggroed with my witness since he got started. Thanks for highlighting your work here, as well as @stoodkev. Both of you were just added.
We'd like to use something like this and Scatter for subscription services on @TIMM and @Scripsio. It's easier said than done.
Hey @yabapmatt Question about the Steem Keychain. Might you be making a firefox extension? I am trying to stray away from google entirely and looking for completely alternate browser/search engine options.
There is already a FireFox version: https://steemit.com/utopian-io/@yabapmatt/steem-keychain-update-firefox-version-now-available
You can also use the chrome extension in both Brave and Opera browsers.
Awesome thank you Yaba. I have been unable to get brave to work on my PC. It locks up as soon as I navigate away from my main monitor (I use a dual monitor setup). That is the browser I want, but cant use. I'll go try this out, thanks again. I appreciate your time man!
Posted using Partiko Android
I want to ask how to login to play the game https://steem-bet.com
good contributiion
Bit late to the party but coming back to steem dev and noticing how Steemconnect requires already logged in user to yet again enter their keys into an app just to do transfer is mind boggling. Thank you for your great work in this ecosystem and I'll be looking forward to integrating this service!