Repository
https://github.com/steemscript/steemconnect
I've filed the issues on Steemconnect: https://github.com/steemscript/steemconnect/issues/365
Components
- Steemconnect login process
"Security is key for the Steem ecosystem."
This is a very important suggestion for Steemconnect key security for login process, relevant to all major dapps (e.g., busy, steempeak, esteem, partiko, dpoll, steemhunt, tasteem, ntopaz (artisteem), etc) that have functions such that users can post or vote in the app.
Steemconnect login should use posting key (instead of active key) for logins after the initial authorization process. If active key is stolen, then all of your Steem and SBD can be stolen, and powerdown can be initiated. Login shouldn't require active key again and again.
Proposal Description
Background
Except for steemit.com, which is the official front-end that most people enter their keys with confidence, Steemconnect is the most popular way of authorization and login for Steem dApps, e.g., busy, steempeak, esteem, partiko, steemhunt, tasteem, ntopaz
Let's say someone offers a new Steem-based app that requires your key. Then you'll be hesitant to enter even your posting key.
That's why Steemconnect is so popular. While there is still some trust/security issue, basically we believe this open-source authorization method, supported by Steemit Inc.
To use it, we first need to authorize our posting right to each app. For instance, to use busy.org, the posting right should be authorized to busy.app as follows:
To use Steemconnect as login/authorization method, we need to give the posting right to each app.
This is to avoid entering your posting key every single time for transactions that requires posting right, e.g., commenting and voting. This is absolutely fine, we've already decided to trust Steemconnect by authorizing the posting key to them.
What's the problem then?
active key for every login after the initial authorization -> wrong!
Most dApps still require active (or higher level) key for login after the initial authorization. I initially thought, for instance, Busy, that it might be for removing further verification for transactions that require actice key, e.g., transfers/powerup. But those transactions require users to enter active key again! Which I believe it should! I mean saving active key right is too dangerous. So requiring active key again when login isn't clearly not for saving active key right. Then why?
It's just because they use the same logic for every login! Since the apps require transactions such that comments/votes, the app is asking posting key right authorization again! which require active key!
This is an obvious misuse of the keys. By authorization of the posting key to the app, the app can do (on behalf of you) whatever you can do with your posting key, e.g, voting, commenting. That's how Steempeak, for instance, can do scheduled posting even after you log out! Because the app already has your posting right. So what they actually need after the initial authorization process is only the verification of your identity which can be done with posting key.
Of course if you're using your personal computer, then Steemconnect login session can be saved so that you no longer need to re-enter your active key. However, if you use different computer/phone/browser, or your session is somehow expired, then you need to enter the active key again!
I truly believe that this is quite dangerous and misuse of key rights. (I'd even like to call this is a security bug, but everything is working (with unnecessarily stronger key), so others may not agree with this.) With active key, hackers can withdraw your money, powerdown, etc.
Users should be able to log in with posting key!
After the initial authorization, users should be able to log in with their posting key.
Is that even possible?
Some people may think this is impossible. Some people may believe it's possible, since steemauto actually requires only posting key for login after the initial authorization. But steemauto itself doesn't have a function for users to post or vote in the app, some of you may still think this might be impossible. But do you really think it makes sense that steemauto can vote and post (by schedule post) even without your login, but steemauto requires your active key when you want to vote and post when you're actively log in (of course, hypothetically)? This really doesn't make sense.
For those who still don't believe that it's possible to log in with posting key, I'll show a workaround in the Mockups / Examples section. Thus, the job needed is to allow log in with posting key for the app that is already authorized with posting key.
Why is this happening?
I don't know, but maybe Steemconnect may not have a proper way to do this (except for the workaround that I'll explain), or maybe the document isn't good enough, so even if there is a way, they misguide dapp developers so that apps are requesting active key again and again. Busy is a good example, since fabien at Steemconnect used to work for Busy, so we can expect that Busy is using Steemconnect in the right way. But, unfortunately, Busy also requires active key. As far as I test, all apps where users can vote and post with the app require active key.
Mockups / Examples
Initial Authorization
typical Steemconnect dialog for login (e.g., Busy)
As it says, it requests you to authorize your posting right to the app, so if you continue, you'll see this.
you need to enter active key to authorize your posting right to the app.
Again, this is fine and necessary for initial authorization!
However, after that, say you use a different browser, or Chrome's incognito mode or such, then you see the same dialog and you are asked to enter your active again!, which it shouldn't be.
Workaround
One workaround that I have found is as follows:
First, make sure that you already authorized your posting right to an app, e.g., busy.app
Use a different browser or incognito/private mode to make sure you're not using the previous session. (If you're curious, try to log in Busy, then you'll see you need to enter active key again. But don't log in so that you don't save your session again)
Log in some app that only requires your posting key from the beginning, e.g.,
is such a good example. https://steem-ua.com/ has a function to show your UA score that requires login with your posting key.
https://steem-ua.com smells like they'll only check your identity.
which is true that they only require your posting key.
Now go to Busy.org then you'll use your saved Steemconnect session which you only entered with posting key as follows.
If you click this (I mean yours), you can use Busy without any problem. Why? Because you already authorized your posting right! Why twice? Why every time? This workaround is the proof that you should be able to log in with only posting key afterwards.
I'm also a developer, so I also tried to resolve this problem on my own. Which key is needed depends on scope for instance, scope=login requires only posting key, as in steem-ua,
However, if I just change the url with scope=login, i.e., if I log in with the following url:
https://app.steemconnect.com/oauth2/authorize?client_id=busy.app&redirect_uri=https%3A%2F%2Fbusy.org%2Fcallback&scope=login
then it allows me log in, but I can't do vote as follows.
Basically, Steemconnect only provides the rights you request (login, in the above case) even if you already authorized your posting right to the app. This makes sense, since there can be such a use case. So I'm not saying this itself is wrong. But the main point is there should be a way for users to log in only with posting key after the initial authorization.
Benefits
If active key is stolen, then all of your Steem and SBD can be stolen.
Using active key for login can be extremely vulnerable on public computers. As you know, a private key isn't something that a human can memorize, so users most likely use copy&paste from another source. By doing so, you have to protect that another source securely, but many people don't. So apps should be able to use posting keys for login after the initial posting right authorization.
Due to this problem, I've never logged in on other computers, since I don't want to enter my active key on unknown machines. Hope this problem will be resolved soon.