Hate putting private keys into websites? Introducing Steem Keychain!

in #steem6 years ago

One thing that has bothered me since I started using Steem over a year ago, is that every single web app requires you to enter your private key into the website to use it.

The common response to that is that it's not a big deal because most sites only require your posting key, but I disagree. Sure you and I may know how to use our posting key but I'm guessing that a vast majority of Steem users just use their master password.

As a blockchain platform trying to cater more to the general public I don't think it's ok to put the burden of understanding the different keys and levels of security on the users. The tools and services should be built such that security is the default.

Additionally, most web apps built on Steem use Steem Connect, which requires you to put your active key into their website and then uses that to grant posting authority on your account to an account they control.

What I commonly hear regarding steemit.com or Steem Connect is that it's ok to put your active key into those sites because they are run by Steemit, Inc. Even if I were to fully trust Steemit, Inc not to purposely steal my keys, anyone can be hacked. If the servers hosting steemit.com or Steem Connect were hacked, I expect that thousands of keys would be stolen, and accounts would be emptied of liquid funds, within a very short period of time.

The last, and final option, is to use the Vessel desktop wallet software. This is actually a great option from a security standpoint, but from an ease of use standpoint it's not great, and I find it very unlikely that all but a small group of power users will use it.

So, for a long time I just accepted that that's the way Steem is, until one day when I actually used an Ethereum dApp. Despite it being slow and costing fees, I noticed that at no point did I have to enter my wallet private key into the website. The website simply called the Metamask browser extension to sign and broadcast the transactions for it.

Once I realized this, I couldn't understand why on earth there wasn't something like Metamask for Steem. Not only would it completely resolve the issue of having to put private keys into websites, but there's also so much more you could do with it on Steem than on Ethereum (seeing as Steem is specifically built for websites to interact with it).

At this point I was already knee deep in Steem Monsters, but I felt that this was an absolute necessity for the Steem platform so I talked about it with @aggroed. He agreed that this was an important project and wanted to help make it reality. Since I didn't have time to build it myself, we decided that Steem Monsters should fund its development.

So Aggroed and I got to work writing up specs for the extension, what features it should have, creating wireframe designs, etc. Then we got the amazing @nateaguila to do the graphics and UI design, and finally got Mr. Steem Plus himself, @stoodkev to do the bulk of the development.

Introducing the Steem Keychain Chrome Browser Extension

Finally, the Steem Keychain Chrome browser extension was born! I have been using it actively while it has been in development for the last couple of months, along with Aggroed and some other people we brought in to help test it, and I can say with some certainty that this will change the way you interact on the Steem blockchain.

Take a look at the following video to see what I mean:

Using the extension I was able to easily view info and make transactions from multiple accounts, and interact with the Steem Monsters web app without ever compromising any of my keys!

Currently Steem Monsters and Peak Monsters support the Steem Keychain extension, and Steem Peak is working on adding support as well. My hope is that one day all Steem-based sites, dare I say even steemit.com, will support the extension as well, and the days of putting keys into websites will be over.

Current Features

The Steem Keychain extension currently includes the following features:

  • Store an unlimited number of Steem account keys, encrypted with AES
  • Easily view balances, transaction history, voting mana, and resource credits for all of your accounts
  • Send STEEM and SBD transfers right from the extension
  • Securely interact with Steem-based websites that have integrated with Steem Keychain
  • Manage transaction confirmation preferences by account and by website
  • Manage automatic lock settings to lock when the browser is closed, the device is locked, or after the browser is idle for a specified period of time

Website Integration Features

Websites can currently request the Steem Keychain extension to perform the following functions / broadcast operations (note that by default, users will have to confirm any transactions requested by a website, but they have the option to turn off the confirmations for specific operations and websites as desired):

  • Send a handshake to make sure the extension is installed and running
  • Decrypt a message encrypted by a Steem account private key (commonly used for "logging in")
  • Post a comment (top level or reply) including a "comment_options" transaction for beneficiaries
  • Broadcast a vote
  • Broadcast a custom JSON operation
  • Send a transfer
  • Broadcast a delegation operation

New Features Coming Soon™

  • Power up / down
  • Manage delegations
  • Manage witness votes
  • Claim pending reward balances
  • Support for Firefox and other browsers

Integrating with Steem Keychain

The code for the extension is all open source and available on Github here: https://github.com/MattyIce/steem-keychain

The readme contains instructions for Steem-based websites to integrate with the extension. If you need any help or have any questions / suggestions for integrating Steem Keychain into your site, please feel free to contact @yabapmatt or @stoodkev on Discord.

The Broader Mission

As you probably know, @aggroed, @stoodkev, and myself are Steem Witnesses. I can only speak for myself here, but I suspect that both @aggroed and @stoodkev have very similar thoughts and goals.

Beyond the standard work that witnesses are expected to do (which was brought into the forefront recently with the HF20 release), I think that each witness should have an overall goal, or mission, for the future of the Steem blockchain that they are primarily working towards.

For me, that mission is bringing more and varied apps to the Steem blockchain. I plan to go into this in more detail in my next witness update post, for which I am long overdue, but I am mentioning it here because I feel that the Steem Keychain extension is a critical component to that mission.

I am talking with some Ethereum app developers who are considering porting their apps to Steem, and they told me that almost all of their users use Metamask to interact with their apps and they were surprised to hear that Steem doesn't have something similar. Well now it does.

If you also support this mission, I ask that you consider voting for myself, @aggroed, and @stoodkev as Steem witness (and also support @nateaguila's posts as he is a talented and valuable contributor to this project and the Steem platform as a whole).

In Conclusion

Please keep in mind that this is a first version of a brand new product. There will likely be some bugs or other issues that we didn't catch during testing. We welcome help and constructive feedback from the community to improve the product and work to achieve the stated goal of completely eliminating the need to put private keys into websites.

In case you missed it, here is the direct link to download and install the extension in Chrome: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm We would also appreciate you taking the time to rate the app in the Chrome web store to help increase its visibility in searches.

Be free and Steem on!
@yabapmatt

Sort:  

So, would you recommend generating new passes since steem-connect and steemit Inc. server hold our keys on their servers? Thus generating new passes would allow greater safety since even if steem connect and steemit inc get hacked, it wouldn't matter. Thus making the keychain more effective.

Also, does send work with #privacy send?

I'm pretty sure that they do not store keys and only give a specific account a authentification to post under your name, even if they get hacked, nothing should happen, if you remove authentificated accounts. Of course, if hacked, it could be used to phish newly entered keys.

Yes, that's what I thought. Thanks for the confirm.

Definitely, but where will you post from? Steem and Busy haven't implemented this extension yet. When you find a place to post from and do operations from that accepts the plugin, then reset the passwords.

Posted using Partiko Android

I believe they will be implenting the key integration soon.

It would make sense, but at least Steemit isn't known for quick adjustments. However, since they're open source, I would as well expect for people to propose the changes by themselves. Do you have information regarding the current development status?

I think @yabapmatt has the most details on such updates. If you follow him or @aggroed, his partner; news of new updates should be coming out.

Thank you for your work on this and I sure appreciate that it offers a faster and simpler option. I'm not technical, so I don't understand a lot of these things, but my understanding is that browser extensions are not really that secure either. I've always been told it is kind of sketchy to use your password with an extension. Am I wrong there?

This is an important conversation so thank you for bringing it up. As far as I know the security concerns around browser extensions primarily come from fake extensions being listed in the stores that impersonate real ones to steal keys. As long as you are careful to only install and use the legitimate version at the link i shared above there should be no security concern.

I think the fact that Metamask has been widely used for storing Ethereum private keys for a long time now shows that browser extensions can be a secure and user-friendly way to transact on blockchains, and we have built Steem Keychain to work as similarly to Metamask as possible.

With extensions you are placing a large amount of trust in the developer and the codebase. For example, the extension requires permission to:

Read and change all your data on the websites you visit

Hence, a malicious developer could not only steal your Steem credentials but possibly even other types of personal content.

I happen to know @yabapmatt is not malicious. However, there is still the possibility that his account gets hacked and a malicious version of the extension is released to the Chrome store. I'm not sure how common this type of attack is and what sort of screening extensions undergo to prevent this.

So in summary, browser extensions can be secure, as if implemented properly they perform all sensitive tasks client-side, which is good, but also can easily leak sensitive data should they be poorly engineered or created/hijacked by an attacker. Please add to my understanding if it's incomplete.

You have a ability to download the extension to your harddrive and tell Chrome to load it locally. Your copy of the extension would then be updated only when you update the code manually

And how do you download the extension to local HD?

Hi @haejin

The following instructions have been written for a Mac computer, but for a Windows computer, it's very similar:

  • Go to the Steem Keychain GIT repository: https://github.com/MattyIce/steem-keychain
  • Click on the "Clone or Download" green button
  • Select "Download ZIP"
  • Once the ZIP file download successfully, unzip it somewhere on your local HD. For the purpose of this mini-guide, I will assume you have unzipped it under Documents/steem-keychain-master
  • Now, launch Chrome and in the address bar, type chrome://extensions
  • On the top right of the screen, enable the "Developer mode"
  • Now you have three new button showing at the top left, click on "Load unpacked"
  • Browse to Documents
  • click on the folder steem-keychain-master
  • click on the "Select button"
  • You should now see the extension appearing on the screen

To upgrade you will have to download and unzip again and overwrite the files on your local harddrive then go back to chrome://extensions and click the circular arrow icon to reload the extension. Verify its version number to confirm the upgrade.

This is what Chrome extension developers do to test their extensions before uploading it to the Chrome Web Store.

Thanks! Very helpful!
Would an upgrade wipe out prior entered keys?
If one had used steemconnect or entered keys via cop paste in the past, should new keys be generated for the Key Chain; in the event steemconnect or steemit inc. get hacked?

An upgrade should not wipe the entered keys if you don’t remove the extension prior to the upgrade. I have not checked how the extension stores the keys but beware when you clear the browser’s cache as it might also clear the keys depending on the cache clearing options you checked. After checking the extension and testing on another computer, it seems that clearing cache does not clear your keys from the extension, to remove all store keys, you would need to remove the extension itself.

To my knowledge, SteemConnect (from v2) does not store your private keys, it uses you active key to grant posting authority to the dapps that was using SteemConnect. The key is not needed later on when posting or upvoting. The private key is still requested for each transfer or settings request. Utopian got hacked in the past, the hacker could not retrieve the keys because there was nothing to retrieve, they could only use the SteemConnect token to perform the upvotes. If SteemConnect get hacked, just revoke your tokens.

However, if you want to be 100% you have not leaked your keys somehow then yes, go regenerate them. I still recommend you kept your owner key somewhere else safe.

Posted using Partiko iOS

Do you develop chrome extensions?

Posted using Partiko Android

I do occasionally

I wanna :D
SoonTM

All good, valid points. There's really no situation where it's completely impossible for keys to ever get stolen. I will say that the extension purposely never stores the owner key or master password for accounts, so if there were to ever be a hack, while that would certainly be bad as active keys and liquid funds could be stolen, it's a much easier situation to recover from since you can just change your keys and not have to go through the account recovery process.

I believe this is still more secure than the system being used now where if any of the sites into which people are putting their keys are hacked, many master passwords will be stolen.

Much more secure indeed in this era of middlemen. I just wish browsers had a much heavier emphasis on security in order to facilitate these tasks with the biggest convenience:security ratio.

Posted using Partiko Android

You are completely right. The safest way is compiling the extension yourself as has been explained elsewhere on this thread.

Posted using Partiko Android

Will it also be used for SMTs like metamask allows for erc20 tokens?

Posted using Partiko Android

Absolutely!

Same worries for me, i wonder if other extensions can see what you are doing if you granted them permissions like "Read all actions, websites, etc.."

Posted using Partiko Android

They definitely can. That's why you have to limit your extension usage and use only trusted and essential ones.

Posted using Partiko Android

The risk exists, indeed, no matter how small. Safest is to make an effort with your own security measures, but this extension sure is more secure than most things we normally use and makes it mal very easy and convenient.

Posted using Partiko Android

We look forward to implementing keychain on https://steempeak.com we are big believers in it.

PEAKMONSTERS USAGE
Our partner site https://peakmonsters.com has already been using Keychain for over a month now and it's been a raging success. Specially with people who buy cards frequently it makes it much easier and we believe much safer. (unless you often walk away from your laptop in public places)

Steempeak is really becoming the most dynamic STEEM UI out there, power on!

@jongolson, if you catch this, please consider mentioning Steempeak in a Savvy if you haven't already (I have not unlocked all videos yet -- which is another issue for testing, but more on that later).

Why Steem UI? I can't use normal Steem from there. Though the cards are based on Steem. 🤔

Posted using Partiko Android

Ah, perhaps you're confusing peakmonsters.com with steempeak.com itself? Steempeak is used for blogging. The most dynamic STEEM UI "for blogging" is what I should have said :)

for sure. it’s planned absolutely. i just don’t have a working knowledge of it yet. but will be diving in much more. thanks for the recommendation

Posted using Partiko iOS

I just reviewed @steempeak in detail and really loved it. Someone really put a lot of effort in this project but it still seems undervalued. It would be really nice addition if you add this keychain on it and thus give users almost a perfect experience. Good luck!

Love hearing that!

I want all projects to use this key chain!

Posted using Partiko Android

GREATTTTTTTT, Nice. Thanks

great news!

I always thought that Steempeak was an alternate frontend for Steem monsters. Do they have different origins or are they branches of the same thing?

Posted using Partiko Android

https://steempeak.com = an interface/frontend for steem.

https://peakmonsters.com = A bulk Market for SteemMonsters with some other data insights

Would there be a way to auto populate the plugin data after account registration? This would make it really easy for normies to get plugged into the steem blockchain without even touching a key lol. Just show them a page to print their keys.

That is a fantastic idea!

😉

Awesome, though this might worry some people about the safety of their usage because they will see that websites and extensions are not isolated but can take from each other without explicit authorisation.

Posted using Partiko Android

What kind of things do you invent, Mr inventor?

Posted using Partiko Android

Yabapmatt, for sure 100% fantastic but i have a fear with these extensions. Is there any possibility that another extension can see what you are doing? Some of them are granted "Read all actions, websites, etc.?". As a developper, can you tell us it is 100% safe?

Posted using Partiko Android

This is actually yet another reason why using an extension to store your keys is better than putting them into websites. As far as I know extensions cannot access any data stored by other extensions, but they can access data on websites, as you pointed out. So if you copy/paste your key into a website like steemit.com or Steem Connect, then a malicious extension could steal it, but a malicious extension cannot steal it from the Steem Keychain extension.

I get it, so true! Gratefull thanks for replying. We still have to be carefull off course, another extension could do phishing, mimic same behaviour and one step up in the OS hierarchy, any process can read all our keystrokes but yes, it is better than anyhing we have now and difficult to do better, thumbs up @yabapmatt, thanks, thanks, thanks!

Posted using Partiko Android

Yes, phishing is always the biggest problem, so you must always be very careful about that!

Great addition. Still. I trust my savings wallet more then anything. 😀 goes and hides more stuff there

Hey, guys, it's really cool that you developed this extension. So far I've always stored everything as a custom text field in my password store, but it never worked that way.
However, it would be very cool if you could release it as your own Firefox extension. There is Chrome Store Foxified, but I don't trust it that much.
Thxalot,
JanSe

Aaaaaa I always do the same! I open a Keepass document and the custom description has my posting and active and memo and owner keys.

Posted using Partiko Android

I'm also curious to know if the extension will be available on Firefox as well?
Great dev and contributions though, thank you @yabapmatt, @aggroed, @stoodkev and @nateaguila, fantastic work!
Cheers

I'm sure it will come but much later.

Posted using Partiko Android

Maybe we need some instruction on how to download for the non-technical steemians.

Open Chrome
Click this link: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm
click install
Shows up as a little keychain icon in the top right. Click the icon to use it.
It will ask for master password to get your other keys but doesn't store the master password.

Thank you very much.

This will be of a great help to many steemians.

I don't trust Google stuff. Is there a way of using it on Tor browser?

Really great work here @yabapmatt. Thank you

I remember you and aggroed mentioning the wallet months ago on the msp show. Glad to see it has been tested and ready for use! Only downside for me, now I have to use Chrome 😕 .

Thank you (and team) for this awesome feature. The few seconds spent looking for passwords can now be better utilized battling. ;) In all seriousness, you've spent an incredible amount of time developing and in this case, writing out the specs for Steem Keychain.

Having spent countless hours reading and writing simple technical specs myself at work, I can attest that it takes considerable time to write down all the details so others would be able to understand. So thank you for gathering the methodology so it can be coded into this finished product.

Only downside for me, now I have to use Chrome 😕 .

You can also use Chromium, which is completely open source. Chrome contains some proprietary add-ons, but nothing I've found that I actually use.

Will this work with the Brave browser? I think that's the one we should all be using eventually

Apparently in the current version of Brave installing Chrome extensions is a bit wonky but this should improve with the upcoming Brave 1.0 release. More info in this Reddit post.

If you use adapters you have to trust the adapter too, not only the original application. If it's independent, sometimes cross platform opens the doors to vulnerabilities. You should be careful and use things in their intended environments unless you understand the technicalities of each change.

Posted using Partiko Android

I concur.

I occur.

Posted using Partiko Android

Why do you think we'll have to use that browser in the future?

Posted using Partiko Android

We won't have to use it but I'd rather use a browser that can reward content producers and pays me for use of my data.

Posted using Partiko Android

Issue is more laziness with having to re-bookmark and install ad blocker, etc. :)

I should be moving over to chrome or chromium anyway since my GTM web sessions never want to work on firefox. Steem Keychain is a good reason to take that step. Thanks @dhimmel! I'll take a look at Chromium.

What is gtm?

Posted using Partiko Android

oh, the GoToMeeting online software. We use it for conference calls and screen sharing, but it doesn't want to connect on my firefox when I work from home. It's fine with chrome though, so all the more reasons to switch.

Is it better than Skype and Discord or is it just used because of corporate convention?

The corps I've been with use GTM and WebEx for online meetings. It's convenient for sharing your screen with others, especially for a training or tutorial session.

Discord and Skype is more catered for social media; DM, voice chats, video chat, but I don't think it supports screen sharing. Some companies use skype internally to communicate with each other, but when it's a conference call with third-parties, I mainly see GTM or WebEx being used.

(They both support screen sharing)

Seems like these are apps specifically designed for corporate use and I assume they're easy enough to use for the average user to approach. I imagine that this is tied to dedicated IT services and other corporate support that makes them attractive. I'd have to test them to see if they're better. Skype was particularly heavy. I've seen easier, faster and more effective screen-sharing software. I haven't tried Discord's but I read somewhere that it does have this functionality.

Hmmmm. I haven't seen a reason to switch. Is Chromium any better in any respect? It still requires a Google account to sync and things like that, so it's still very dependent on proprietary services.

Posted using Partiko Android

I switched to Chrome a while ago and I really like it. The hardest part wasn't my bookmarks because they synced. It was getting accustomed to things being in different places and behaving in unexpected ways. But now I'm accustomed so everything is fine.

I love that memory in use is better compartmentalised, so if you close a tab, you recover the ram allocated to it. Firefox is much more wasteful with your resources.

Posted using Partiko Android

I used both Chrome and Firefox years ago but can't remember why I stuck with firefox. Thanks for the input. I haven't had a chance to move over yet but it is on my list!

I've always been switching because both are really great! I preferred Firefox a few months ago because it was much lighter than Chrome, but then it started being slower, so I switched to the then-faster Chrome, and now it's the inverse. I don't know. Software is crazy sometimes.

I think that was likely my reasoning too. I remember it was chrome that was faster, then it became mozilla. Now who knows; I don't have the time to surf as I used to before. Definitely crazy softwares!

Hi, I wrote a post a week or so ago on how losing between 0-100% of curation rewards to the pool when you upvote a comment within the 15 minute window is an annoyance if you want to upvote comments in a live comment thread. Very often, I write something and get a reply back almost immediately (or in a time much, much shorter than 15 minutes). I'm big on monetizing engagement. But under the current rules, my upvoting immediately means my rewards go back to the pool instead of my conversation partner. That sucks but is easily remedied with 15 minute or so delay in broadcasting upvotes on a comment. Too often I forget to come back to upvote comments in conversations that I've had. It's also annoying to to have to wait and go back to a conversation to upvote. It's even more annoying to effectively lose part of your SP by upvoting immediately.

If websites are to integrate the Steem Keychain in such a way as to have it not only sign transactions but broadcast them on their behalf, I wonder if it would be a good idea to implement an optional 15-minute delay on Steem Keychain?

Wow so immediately upvoting a comment is essentially nothing but a waste of voting power?

Seems like a great UI feature would then be to have a time slider on the upvote menu in addition to the power slider. Therefore, I could upvote at 55% power in 13 minutes.

It's only the curation reward portion that gets burned (max 25% of the vote value if the vote is immediate). The other 75% still goes to the author as intended.

Will we be able to do custom transactions directly from the extension? I want do operations without middlemen. Steem-plus takes 5% mandatory beneficiaries if you launch beneficiaries from their extension. I want to create a more flexible tool but if you're doing it in your extension I can calm down about that.

Posted using Partiko Android

It's a waste of curation rewards. Let's say you exchange comments with someone and upvote each other's comments immediately. Before HF20, neither of you would get curation rewards for the comments because the author (your conversation partner) would get them. Now the curation rewards go back to the pool. Neither you nor your conversation partner get any curation rewards. Easily fixed with no hardfork by delaying the broadcasting of the upvote by 15 minutes, in which case the upvoter gets all the curation rewards.

Seems strange to implement that, dunno why you want people to burn things for voting too early. Is this explained somewhere?

Posted using Partiko Android

Before HF20, many authors would upvote their own posts immediately in order to minimize the curators' cut. Now that curation rewards from early upvoting go back to the pool instead of the author, immediate self-upvoting has become a loss-making strategy.

Posted using Partiko Android

Hmm, I now vote at 12min because most of the votes start coming at 13min. Am I breaking something? 😭

Posted using Partiko Android

You're doing the right thing by frontrunning at 12 min if what you're frontrunning is big.

Posted using Partiko Android

It's my understanding that SteemConnect is just as trustworthy as your keychain. The point of it being a website is that it's accessible across all devices and operating systems. My understanding of SteemConnect is that they never see your private key. They use your key to create a permission token on your device.

The website simply called the Metamask browser extension to sign and broadcast the transactions for it.

And what happens if the contract is meant to steal your money? We can't really vet any of those transactions that pop up for legitimacy. We just trust that they do what the website told us they would do.

When it really comes down to it one has to trust the code. We expect that if the code is malicious a white hat will whistle-blow on it.


I would really love to be corrected about SteemConnect or why this service provides more security. In the link above I concluded that a browser extension would be a great way to provide the illusion of security...

However, why did you make your own product when you could have just extended SteemConnect into a browser extension? It's all open-source.

My understanding of SteemConnect is that they never see your private key. They use your key to create a permission token on your device.

I would really love to be corrected about SteemConnect or why this service provides more security

It is true that SteemConnect never sees your key as it is currently built, but since you are entering your key into a site served by them, they have access to see your key and could see it if, say, someone hacked their server and modified it to do that, or if a malicious site posed as steem connect in a phishing attempt. With the browser extension websites will never get access to your keys in any way, so even if you visit a malicious site or a legitimate site gets hacked, they will never be able to get your keys.

That's the difference. It's not perfect, and it doesn't mean that you don't still need to be careful with your keys and what transactions you sign. But in my opinion it is a significant improvement over SteemConnect when using a browser that supports it (only Chrome and Brave right now but more to come).

As far as extending SteemConnect to an extension, that's not as simple as you have made it sound. They are very different products built to do very different things. I believe it was the right call to build this extension from scratch to do what we wanted it to do rather than try to modify SC to do something it wasn't built for.

Thanks for explaining it to me! It's nice to see someone literally introduce a solution to the problem at the same time that I brought it up... lol. Nice work!

This is a nice idea and good implementation. It's even asthetically pleasing.

The only thing I worry about with applications like this, is it requires me to trust you (not that I don't). At any time you could release an update and acquire people's keys could you not? You state your issue with that concept with regards to steemconnect etc, and it's a legit gripe. Keeping the keys local, and accessing through the browser is better, but does it really solve the trust issue?

Well if you are concerned about that (which is a legitimate concern) you can always download the extension code from the Github repo and just install it locally rather than getting it from the chrome web store. That is definitely not an option with Steem Connect!

download the extension code from the Github repo and just install it locally

Touche!

Distrust is the building block of society.

Posted using Partiko Android

It certainly inspires progress

Finally publicly released :)
That's an awesome tool guys!

I can see in the source code that the tool is tied to https://api.steemit.com, are you guys planning on adding a way to plug it into the testnets and more generally to the other full nodes? (like metamask, a simple dropdown list)

Ah yes, I totally forgot to add that in the list of future features. Definitely want to allow users to choose the node it connects to. Also want to add support for additional tokens and sidechains which i've heard some awesome developers are working on :-P

Awesome :)

That's great.
Next step would be hardware steem keystores I believe.

A little late to the party, but I really appreciate this tool. Hopefully the other browsers will be supported soon! Relegating folks to Chrome is understandable, but still a bummer.
How about making it a desktop app like Scatter has done? Better yet, get with Nathan James and integrate them somehow?
I've supported @aggroed with my witness since he got started. Thanks for highlighting your work here, as well as @stoodkev. Both of you were just added.
We'd like to use something like this and Scatter for subscription services on @TIMM and @Scripsio. It's easier said than done.

SUBMIT Your password must be at least 8 characters long and include a lowercase letter, an uppercase letter, a digit, and a special character.

Seems like password restriction will make people forget their password unless they write it down.

Thisssssssss, I logged in just to agree. I use passphrases and more memorable passwords! I don't need upper case or special characters when I have a 30 character long passphrase.

Posted using Partiko Android

Great tool, resteemed :-)

I resteemed your comment 🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼🐼☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️😜😜😜😜😜😜🚷🚫🚸⛔🛄🛅

Posted using Partiko Android

It's not possible to resteem comments :-)

I mean, for real, a 50000 SP flag because you didn't like my bad joke 😓😓😓😓😓😓😓😓😓

Posted using Partiko Android

OMGGGG I thought it was obvious I was making a joke. I wouldn't expect anyone to believe that. Such a big vote wasted in vain :(

Posted using Partiko Android

Flag removed, was a joke :-)

I've been using metemask for eth for over a year... I'm applauding right now, this is just fantastic... I'm going to download this right now and maybe even write some thoughts on it too... Thank you Matt for busting your butt to make this blockchain a better place .. and thank you Aggy for your contributions

Posted using Partiko Android

I only use it for an airdrop.

Posted using Partiko Android

Great work, and great work gets voted for!

How do you do great work to get votes? Can I do work and say its great in the title and it becomes great?

Posted using Partiko Android

Nice work, but i would like to use my password. if i have to remember another obscure one, its a :( for me

Perhaps in future releases?

Google is the Devil

Halp sir, wen firefox?

Ask @stoodkev :-P

When moon

Posted using Partiko Android

Man this is awesome and very much needed. I hate giving out my password. With all the security leaks across social network sites one can never be too careful.

Thanks for your teams hard work and its nice to see some of the profits of steem monsters going back into the steemit/steem ecosystem.

This is what I find so lovely about this. They earn and then make an effort to make the platform grow. Not like others that just line their pockets and isolate themselves in their little moneyhuts.

Posted using Partiko Android

What you say is so true! I had been using Steem for many months before realising that I shouldn't be using my master key! And I'm quite tech savvy and pretty careful about internet security!
This is a crucial development not just for Steem but for the cryptocosm in general (see George Gilder's Life After Google)
Steem has an excellent key heirarchy of posting, active and master keys but they weren't being used properly by most users.
Please add a Brave plugin ASAP.

It's the fault of the frontends. They promote this behaviour. The focus needs to be changed and they need to forbid master passwords and require active keys.

Posted using Partiko Android

Minnowbooster.net will support Steem Keychain very soon TM!

Do. You represent minnowbooster?

Posted using Partiko Android

Yes I do represent Minnowbooster.

Very awesome and useful! Upvoted!!

This is one of these things that you never think about and then don't want to miss it as soon as you start using it. Awesome work!

Exactlyyy, that's how I feel. I didn't know I needed it until I saw this post. So cool.

Posted using Partiko Android

You've made the Steemit Minute for today! Congrats!

Check out the Video Here: https://steemit.com/news/@reseller/ugj8oggd

Very Great Job. I will looking forward to.

I will look forward to too.

Posted using Partiko Android

😎💪🏼🙌🏼

good contributiion

I've been using it for a month now, and it's made the experience so much more streamlined and enjoyable. The extra peace of mind is incredible too.
Huge shoutout to the devs on this. Highly recommend.

Can you use this with Steemit already? And Busy?

Posted using Partiko Android

No, not yet, but I know a lot of dapps will be interested. Peakmonsters and Steemmonsters are the only ones I know of so far.

I have been using keychain for the past couple days and it is awesome

Sir, Is it safe to hold Steem in the form of SBD in our steemit accounts

Very useful project in good design! - Hier gibt es eine deutsche Übersetzung: https://steemit.com/deutsch/@zeitspringer/metamask-fuer-steem-wie-verwalte-ich-meine-steem-wallet

Absolutely brilliant work, again, Matt!

Posted using Partiko Android

Freakin Sweet dude!! Nice, clean and navigatable GUI. Shucks Yeah!
You be steady producind killer tools and utilities.

Thank you for your time.

Well I learned a few things here:

  1. There are apps that connect to STEEM.
  2. There are other sites that connect to STEEM.
  3. There are apps that ask for your private key.

Every day's a school day.

Haha every app is a 3rd party app. Steemit is a 3rd party app. :D
Blockchain isn't easy.

Dope

Matt this is awesome! You all did a terrific job and I love how you identified a problem and found a solution (especially when it comes to making it easier for the less complex people like me)... That is the kind of mind we need to add to all problems here on Steemit, and its exactly why I vote for you as a witness. You care about our experience and it shows in everything you do!!!

Any chance it can be checked to work with Firefox. In this mobile first era that would be a massive step forward since many people, especially in development nations, don't have a desktop anymore.

Posted using Steeve

Wow, who wouldn't wana try this out? Its an exciting introduction to the steemjet blochain to me and I bet that in no time a lot of people would embrace this.

As for the bugs, they should ve expected. But from the feed backs u would be getting from the users, you Wil be able to fix them all in no time.

Keep it up boss...

Wow, this is incredible. You may or may not believe this, but I was looking for a better solution for entering keys just yesterday, it's almost like you read my mind! But as you said, it's a common concern for everyone!

I'm not sure if this is possible as I'm not the best at technology lol, but would there be a way to integrate a maximum amount for transfers per day given the key that you entered? I'm not sure if that's something that has to be integrated on the private key level or not, but it would be cool if you could set some sort of limit in case of unwanted use/access.

Thank you for doing this!

For someone who's not the best at technology, you can sure build a team.

haha! Yeah, I've spent hours and hours playing SM and studying the abilities and playing matches to figure that stuff out!!! Thanks ;)

Wow this is nothing short of revolutionary for the blockchain! Hopefully we see integration happen with a lot of sites!

Thanks for posting this. You have received a Preemptive Strike by one of our simulcasters, @johnspalding.

Preemptive Pile.png

This post will be featured on our next LIVE broadcast. Typically we broadcast on Tuesdays at 9:30pm EST on the @vimm streaming platform. Check it out and come online if you are available.

Amazing, this is just a passage to steem and every other dapps built on it. It is handful and a secure means to hide your passwords from countless number of website requesting for it.
Thanks to the team on this.
Resteemed!

Excellent. hardworking for the benefits of community. really an excellent group. thank you all.

Great work yabapmatt and Stoodkev. I'd love to implement this in some way with our DTUBE uploader.

Can't wait for this to come to firefox

Wow, thats amazing, can't wait to use it! =)

Wow great idea, Thank You for sharing this to us!

This sounds fantastic. I will surely install the extension and use it. Am sure it would be pretty secure.

Posted using Partiko Android

This is awesome! Thanks for adding value to the STEEM blockchain and better security for my money. I will start using this immediately.

This is truly amazing and great step towards better UX. SteemConnect v2 was already much better than SCv1, but your Chrome extension is a whole new dimension!

Thank you!

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

This is rad, Matt. Keep up the awesome work!

Do you think they hold our keys on their servers without any encryption? That would actually be kind of sad.

Best Regards,
Mysteor Team

No they absolutely do not keep the keys on their servers at all (or they shouldn't). All operations are signed in the browser, however that does not mean there are no ways that the keys could be stolen if the servers hosting the site were hacked.

You got a 86.17% upvote from @postpromoter courtesy of @steemmonsters!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

It is really risky to share your posting key.Is there any other way @yabapmatt to avoid it from sharing?

Another day, another fantastic development here. :) This makes life so much easier.

Awesome stuff, love the UI :) @vimm take note!! Colors!

2 thumbs up yaba daba dooooo

@yabapmatt

Wow great job! Keep it up! Do you have plans to develop something like this suitable for mobile devices?

Posted using Partiko Android

@yabapmatt, Really appreciated and i agree with your point where you said most of the people are using the Master Key, and in my case I've also used Master Key for six months after joining. So Safety Of Keys are vital because we are Managers of our account for sure. And now great to see that you'll put your efforts and came up with this awesome Extension Tool called Key chain. Wish that everyone will going to find it productive and in the Tutorial it's really proving what it's meant for. Keep up the great work.

Wishing you an great day and stay blessed. 🙂

Nice job Matt! Good to see it finally go live!

Posted using Partiko iOS

Great tool man! I have had the same exact feelings about having to enter my key into these other tools. Thanks!

What an amazing extension!
I hope that most of the dapps of the Steemblockchain integrate it.

Steem is really lucky to have people like you on board!

:)

What about Firefox browser?

I mentioned in the new features section that we plan to add support for Firefox in the future. Will try to get that done asap!

This is a great tool indeed!

Great tool. Hope it will serve its purpose.

Great work and very highly needed Web Application for Steem. Do you think that this also will work for the Brave Browser?
Please make it also compatible for the Brave Browser that would be amazing!!!

Amazing, was waiting for the day when STEEM would have a browser extension wallet similar to ETH...bravo guys!

Appreciate you work. Thanks for your effort!

Wow this is so amazing. Cos I dread to give out active key or master pass. Gonna look into this more.

Posted using Partiko Android

Wow this is so amazing. Cos I dread to give out active key or master pass. Gonna look into this more.

Posted using Partiko Android

Hoping this project to yield good results.

Fantastic!
TIMM wants this.

Are there plans for a desktop app? Work with less invasive browsers?

Finally, someone came up with a solution that is actually a BIG relief! @yabapmatt, You're awesome!

Damn, this is some well needed innovation! Thanx for helping secure things for Steemians!

Your post had been curated by the @buildawhale team and mentioned here:

https://steemit.com/curation/@buildawhale/buildawhale-curation-digest-10-18-18

Keep up the good work and original content, everyone appreciates it!

How would this work with iphone/android apps?

helal sana dostun kesınlıkle muazzam bir çüzümleme

This is great! I'm going to work on making my dApp project compatible with this. Way to go. You have reinforced my confidence in you as a witness.

Have you plans to introduce this extension for other browsers?
Opera Firefox?

This is a fabulous idea! I hope there are plans for the Opera and Firefox browsers, too!  superhappy15.png

thank you for your hard work in trying to make the experience more convenient and safer for the user 👍 looks great

This could change everything! So glad someone's working on this! I look forward to the progress!
@bitsy :)

Brave browser extension cannot come soon enough

This is a massively useful new tool and shall replace any centralized password manager one might still use to handle Steem keys. Thank you for bringing so much development forward to the Steem blockchain. It is incredible what you guys pull off. Looking forward to your witness update!

I hope that the Brave Browser will include your extension. As it is build on Chrome it should already be entirely compatible and can be hacked into the browser by replacing one of the default extension folders.

wow, really cool. Great job, love it! ;) huge step for steem! :)

Must have extension! Do you have any plan to build the same extension on Firefox? Thank you for your efforts

Very good! The concept is sound and I like the colours :)

this extension will help users in many way and for you i believe theire will.be no issue with the security . How much i work i know enough that you are 100 percent trusty.the only thing the user should be careful to install the real version and the one you shared here . Thanks

sounds great. I had another method of typing in the private keys, but if it works, this would be perfect.

How long has it been out for?

Well done!
I heard of this extensions few weeks ago but didn’t get to try it out until today.

It works nicely and I’ve already integrated it with @smartvote dApp. It’s currently on our test environment and will be released to https://smartvoteservices.com when ready. It will perform posts, upvotes, delegations and transfers via Steem Keychain when installed and fallback to SteemConnect otherwise. A next step would be to let the user know they can install Steem Keychain for more security.

Thanks for making this Extension for the community

Hi @yabapmatt!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 8.134 which ranks you at #26 across all Steem accounts.
Your rank has not changed in the last three days.

In our last Algorithmic Curation Round, consisting of 329 contributions, your post is ranked at #1. Congratulations!

Evaluation of your UA score:
  • Your follower network is great!
  • The readers appreciate your great work!
  • Great user engagement! You rock!

Feel free to join our @steem-ua Discord server

Great, will this work for Chrome on Mac OsX as well?

Why are you not using @utopian-io if it is Open Source? :)

This has been so needed for so long! We need to make this simple for new users, so they can join steemit and have a safe journey!!
Good job, resteemed!!!

this is so useful. much easier. thanks for this mate.

I need to learn how to make money on here people i could start posting alot more often???

This would be very useful, I ideally I save my passwords into my browsers such as Safari, I but I can see why this would be thoroughly useful, because it also acts as a wallet.

Posted using Partiko iOS

Really great work here @yabapmatt. Thank you

Posted using Partiko Android