Reasons why you shouldn't ask for or share private posting keyssteemCreated with Sketch.

in #steemdev7 years ago (edited)

There is a misconception in this community, that using your private posting key to login into outside services is safe.

public-private-key.png

That is not true, here is why:

While a bad actor having your private posting key can not take your money, they could exploit and eventually damage your account in a lot of other ways.

In Steem you "Mine" (as in proof of work(+brain?)) with you private posting key.
The cumulative reward for that act is 7% of steem's yearly inflation.

Meaning, if one want piece of that pie, they need to pool some SP, then use the private posting keys that control it to do their deeds.

And what better way of doing that, than starting a service that collects private posting keys, for whatever reason.

There already are upvote botnets that are making their money that way.
Some of them are legitimate services (I use the @shadowbot voting pool),
but can you trust anyone with the power to do right by you, now or in the future ?

Can you trust them to be secure enough to not get hacked and leak your keys ?

Leasing SP costs money. There are services that enable you to lease your SP, or get some and power up your votes (https://steemit.com/@minnowbooster)

From here, it gets darker...

You could bring one's reputation to the ground with enough SP backed downvotes.
You could hide posts on steemit.com

That is abuse. And abuse brings the @steemcleaners,
and your account provider (Steemit Inc).

You don't want to be in a situation where these guys show up.
That means you've became a victim of abuse,
or your account is wrecking havoc on the blockchain.

and darker...

With you private posting key, one could edit all posts and comments, deface your profile or worse - change all the links to a phishing sites or ones with a drive-by exploits on them.

Afterwards all bets are off and some people will get burned.

And that's why, if you are a developer of a new or existing service around steem, don't ask for private posting keys if you don't really need them.

If you need the ability to post or vote for a user,
generate your own and use multi-sig through https://steemconnect.com/
Check out how https://streemian.com/ is doing it (Github)

P.S. I know some people will point out that most of the services keeping the keys inside the browser.

How sure are you ?
Especially when you get the latest version every time you go to the service's URL.

When was the last time you did inspect the code, as it was running in your browser ?
Was it minified ?

The things one could do after collecting the keys, they can do by simple code injection...

You should always think of ways to minimize the attack surface and need for trust when entrusted with people's money (or keys).

Sort:  

Excellent post!
Just last night i had a long chat about making my trail safer by using steemconnect V2 from the guys @busy instead of asking for the ppk...

I just finished a chat with @fabien who pointed me in the right direction to the clean solution i wanted!

Good post. Thanks for raising awareness on protecting our Steemit account. We should only consider sharing our posting keys with thoroughly vetted third party sources. As you stated, posting keys do not allow access to money but unauthorized and malicious activity by unscrupulous actors could have ruinous results.

Thanks.

Raising awareness about the reasons why you should protect your keys is just one side of the equation.

There are better ways of implementing the same functionality without asking for the primary private keys. In a perfect world there should be no need for them to leave your personal wallet.

Even now, if you know what you are doing you could generate multiple private keys, one for each service that you use and only of the kind that the service need.

Then it becomes easier to later remove the keys of services that misbehave.
That way only your account provider will still have power over you.

Excellent post @zinovi
The only service I use my private key are chainbb, eSteem and busy...I hope they listen and ensure steemians are safe. I hope busy is strong enough as they also have option for password and username.
Am thinking of 2FA Google authenticator ...wouldn't it be a good idea to have extra security like block chain did...?

interesting your post...
tanks for sharing.

This post has received a 0.52 % upvote from @drotto thanks to: @banjo.

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!


This post was resteemed by @steemitrobot!
Good Luck!

Resteem your post just send 0.100 SBD or Steem with your post url on memo. We have over 2000 followers. Take our service to reach more People.

Pro Plan: just send 1 SBD or Steem with your post url on memo we will resteem your post and send 10 upvotes from our Associate Accounts.

The @steemitrobot users are a small but growing community.
Check out the other resteemed posts in steemitrobot's feed.
Some of them are truly great. Please upvote this comment for helping me grow.

Strange, I didn't ask for that...

Excellent post!
Just last night i had a long chat about making my trail safer by using steemconnect V2 from the guys @busy instead of asking for the ppk...

I just finished a chat with @fabien who pointed me in the right direction to the clean solution i wanted!

Congratulations @zinovi! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You got your First payout
Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Coin Marketplace

STEEM 0.22
TRX 0.27
JST 0.042
BTC 104536.45
ETH 3874.03
SBD 3.32