You are viewing a single comment's thread from:

RE: ANN - Re Launch of STEEM AUTO

in #codeonsteem4 years ago (edited)

Hi,
This is wrong:
"Everything could be done without your active key. Giving them your active key means they can transfer your steem."

You necessarily need the active key to change authorities (add or remove) of an account. This is at blockchain level and there is no other way to change account authorities. And there is no other way to use a service like steemauto except giving your posting key directly to an app, which is not recommended. Of course you can use any other method to authorize an app "with your active key" without using steemlogin. You can do that with any steem library or Keychain if you are not feeling secure with steemlogin.

As @futureshock and so steemlogin, we take seriously security issues with steem users accounts. When you use steemlogin we can potentially access to your keys that's right and that was always an issue with steemconnect but we never do/did this, we don't store any keys more than needed and will never do it. Remember also this, when you use steemlogin on any app, this app doesn't see your keys but only receive an oauth token.

FYI we are not related to steemauto or any other team. We are offering this service for free and only to make things easier for dapps developers. We are publicly known people (you can even find our address on the web) and would never dare to hurt/rob anyone, in our eyes respect and trust are much more important than money.

Best regards,
Hightouch

Sort:  

There is no active posting key. It can be rather private posting key or private active key. And yes both have different uses.
Voting/posting use private posting key, and other things like transfer or changing account autorithy require private active key. There are also other keys like the private memo key which permit to decode memo encoded with your public memo key etc.. .

In this case, you are not willing to give any key but just give the authority for an app to post for you. The other possibilities would be:

  • the app ask your posting key and store it (this is less secure then steemlogin which has been tested for nearly 4 years now)
  • the app ask your posting key with steemlogin and store the received token and can reuse it. The issue with this solution is the following one, steemlogin tokens have an expiration time like all web tokens, so after a week this particular token become unusable and you would need to login again to the app to obtain a new token... Which removes all interest in using a service like steemauto.
    So in order to do that you are using your private active key to give posting authority to the app. Which means this app can post/vote for you whenever he need/want and that until you revoke the posting authority, again using your private active key.

Well I'm sorry for you but I guess you just fell in with the wrong crowd as we all already did at least once.

Hopefully other witnesses will come to confirm all what I said there.

Best regards,
hightouch

It's me again...

FYI we are not related to steemauto or any other team. We are offering this service for free and only to make things easier for dapps developers. We are publicly known people (you can even find our address on the web) and would never dare to hurt/rob anyone, in our eyes respect and trust are much more important than money.

can you share your website address?

Thank you for this comment @futureshock

However ... correct me if I'm wrong, but it seem that original steemauto never required active key. And this is main reason why some users are hestitant and seriously worried to use "steem login" and new steemauto.

How could they (original steemauto) achieve it? Any idea?

Yours, Piotr

Coin Marketplace

STEEM 0.22
TRX 0.20
JST 0.034
BTC 92452.51
ETH 3105.57
USDT 1.00
SBD 3.16