There are a few questions that I have had lately related to the steemit.com website and it's relationship with the actual blockchain and the mining process. Since these questions are related to the security and potential censorship of the community, I feel like they're worth asking and having a nice discussion about.
1. Who operates the steemit.com website?
2. Is the website source code also open, and if so how can we verify that the distributed code is the one that is being used to generate the website?
Since the majority of users will be interacting with the blockchain through steemit.com, how can we verify that the website is legitimate and does not contain malicious code?
3. What are the risks of censorship through the steemit.com website?
The whitepaper briefly mentions that "Individual websites such as steemit.com may censor content on their particular site, but content published on the blockchain is inherently broadcast traffic and mirrors all around the world may continue to make it available." My concern here is that, as far as I know, steemit.com will most likely be the ONLY way that the vast majority of users interact with the network. Thus, although anyone could technically still publish to the blockchain, and advanced users could still see those posts, for all practical purposes steemit.com could still choose to censor certain posts to the majority of users. Is this a legitimate concern? Is there any procedure that periodically checks the posted content on the website against the blockchain?
Could our private keys be stolen by steemit.com?
Since, as the whitepaper suggests, there is a risk of censorship on steemit.com, isn't there also a risk that our private keys could be stolen, or improperly stored by the website owners? Clearly the website interacts with our private keys, since they are required for posting, etc... Is there any way we can verify that this is being done securely? Are our stored keys encrypted with our login passwords?
Obviously I'm not implying that there is any funny business going on, these were just a few questions that I had been thinking about lately, and I thought others might like to hear the answers as well.
Best,
Trogdor :)
good questions. I had wondered about the hacking potential in our wallets. How are our wallets even secure in this website?
I'm new to all this tech too, but I think the answer to that question is that it is secure just because that's the nature (and the beauty?)of what blockchain technology is/does.
In the long term people using Steem/Steem Dollars as a wallet currency are going to have to adopt stronger security practices than just using a web site. That includes things like hardware wallets, 2FA systems, etc.
In the short term the web site is good enough for most people. For those with more value at stake, the command line tools can be used more securely, but require some technical skills.
Yes, of course.
The wallet built into this website, as it is programmed right now, runs entirely on your own computer. Your private keys do not leave your own machine. That's good - it means that if a hacker breaks into the steemit.com website he won't find a database of keys he can steal.
What a hacker can do, though, is replace the wallet software built into the website. He could modify the code so that it automatically sends all your funds to his own account, right after you log in. He could modify the code to change your account keys to his own, locking you out. He could do whatever he wants with your account.
It doesn't take much to do that. A simple XSS injection would be sufficient. I believe there was an injection bug in the early days of the site, but AFAIK no damage was caused.
Is someone working to fix this?
That sounds bad long term
what about a desktop client?
@dan previously said it would be trivial to make one. @xeroc I believe has created one already.
Great, thanks for the answers. It sounds like a lot of exciting things moving forward.