Have you heard of streemian.com?
I did a live dive last night while in a crowded chat room, examing streemian.com's personal authentication mechanism, personal data privacy and personal data security code used while creating a new account there and linking it to steemit.com and good news!
It's all good.
However, some people still have questions and concerns about sharing their private active key or steemit password there.
*And that's completely understandable.
So I checked it out.
Recently in chat, some of my fellow chatters were very interested in streemian.com's services but were also expressing concerns about the safety of signing up at this third party site using their steemit.com private active account keys or steemit.com password as the only two options available to create an account at streemian.com
Somebody needs to look into this, it was decided among the chatters.
After I came to understand their concerns, I decided to check into this for myself. I promptly headed off to github.com, which is an online "repository" where open source programmers and systems developers mutually share code for open source software projects like pieces of steemit.com and other sites you use, rely on to get routine things done.
By way of qualification, I happen to have about 30 years of programming experience in my career background and I am just a newly registered account user on streemian.com. I am not part of the people who build and maintain it. This is just me being curious with some other people.
So I decided to take a look at the source code for the user authentication portion of streemian.com's javascript code as well as the source code for steemit.com's publically available javascript API client and determine some of the following kinds of things.
- How streemian.com is using your personal account keys and login information and how does it communicate with steemit.com on your behalf without putting you at risk
- If your private information is being stored or retained at all anywhere in the process
- How your data is protected from theft from the inside and outside of streemian.com
- Any advanced options to avoid exposing your keys for extra tight security
"JavaScript" code is programming code that runs on your local computer or smart device and exists only in the browser you have chosen to use, lasting only until you refresh or move away from the current page containing this javascript code.
The very first good thing to note, is that I could see ALL of the necessary code to login and create an account on streemian.com.
The next thing that's important here and once again all good, is that the code is all 100% basic javascript and thus all the code that runs while using personal information was available right in front of me and to you and to anyone on earth at anytime. Nothing was "hidden" on the server or elsewhere that I could not see and read for myself in the repository copy of the code.
I read every line of code in the fairly compact and concisely programmed little block of software used in this process and followed every logical decision juncture in the code to every logical conclusion.
Effectively I read and worked out every line of code in the stuff that would run on the account creation dashboard when you are using your personal information.
The way I did all this is a combined process of wisdom, experience, magic, coffee and cold pizza. Fueled by questions from the crowd in the chat room discussing the topic, I covered every angle and went down every avenue.
I could elaborate for quite a while on the actual technical mumbo jumbo, and if anyone wants more specifics, ask me your questions in the comments below.
In the meantime, here is how this inspection went down live.
Live impromptu, publically participated, streemium security code inspection chat log
slightly modified for easier re-readability
[2:20 AM] sircork: the login creds are encrypted in a proprietary steemit way right in your browser with js via https:**//github.com/svk31/steemjs-lib over on GitHub.com as svk31/steemjs-lib so....
[2:20 AM] interested listener 2: that sounds good
[2:21 AM] sircork: it literally makes a string of gibberish locally that steemit can speak and confirms it via a simple RPC call
[2:21 AM] interested listener 2: so its passing the loggin creds stright to the steemit JS file without sending it anywhere else
[2:21 AM] sircork: for way of reference, wordpress for example, uses this same concept to allow blogging from say, other apps and sites yeah and all this is local to joe-user's personal computer and totally safe
[2:22 AM] interested listener 2: ok with the API. thank you for checking out the code
[2:22 AM] sircork: in fact, its simple as pie, and very common to generate safe keys this way
[2:22 AM] interested listener 2: You should write what you just did in the responses to that old Streemian post. you are doing very well
[2:23 AM] sircork: yall want an example of how it works in laymans terms?
[2:24 AM] interested listener 1: Excuse me @sircork but just to be picky, but this just verifies the github version no? so if i say download it, but if i use the webform is it certain it will be the same code used there? excuse my lack of technical insight
[2:25 AM] sircork: you are correct. if you download the lib i linked and the source from the site, together, you could run this on any machine with a browser but youd have to do some path configging to the files and what not in the index file of the app and here is how it works... lets say a guy named joe and I are the server and browser and we both speak joe-sircork - a special language (the encryption method) so then you come along and tell me - right in the browser your private active key locally, so far it's typed in and any javascript will handle on your local computer only but... it will talk to streemian.com and NOT give your personal details to joe or save them but still identify you safely and securely to joe and confirm your steemit account at the same time. How? Well, via your local javascript code on your own computer in your browser which first talks only to steemit.com to check your login, same as every time you come to steemit, but in the background, and gets back a yes or no. Then your browser turns the yes it got from steemit.com into an encrypted string of joe-sircork text thus turning my private data into the secret joe-sircork language that only both joe and I know how to decipher AND joe and steemit know how to speak the deciphered contents as well and we all know this is a NEWLY generated key provided by steemit.com which is not shown in your account info but which is called a public RPC key and we use that from here on out. Your private stuff is never saved, never sent anywhere but steemit.com for one quick yes/no check and from then on, a new encrypted string containing your RPC key is used for streemian.com. RPC, by the way, means Remote Procedure Call and it uses a secret key like a password in this context. Wordpress does this to allow you control your blog from other tools for example. Or to use desktop based apps that can talk to it in a safe way. This is not all entirely exactly accurate and programmers will beat me up for that but its basically how it goes enough to explain it in layman's terms that way.
[2:27 AM] interested listener 1: makes sense
[2:27 AM] sircork: your key is turned into this garbage and send it to joe over an https secure connectionand he decodes it with his captain marval mishmash piglatin decoder and works with steemit using it's contents, which are NOT your private steemit info, but a newly salted rpc key made when you get your streemian account JUST for streemian's use on your behalf as I understand it so far. and then he checks in steemit (at steemit direct and only there). He says, yep thats the word and sends back an Ack or Fail so over the wire goes gibberish and only yes or no comes back once that is done the streemian site lets you in and never saves anything
[2:27 AM] interested listener 3: That's all fine, but how can i know for certain the website use the same code? that they don't have some extra code just there to capture the key? I don't really want to run it locally, just to be able to trust that the web version is actually the same code you just read on github
[2:28 AM] interested listener 2: you could download the source code inside your browser and compare it to github code
[2:29 AM] sircork: ok, the way you can check the site vs local version is open the browser to the page we are talking about checking using chrome or FF , go to dev tools and find the hrefs to the js it calls and click them that will open the code in your browser and its undeniable. It can't be NOT the real code and you can compare side by side with downloaded copy and given thats possible its really not even worth bothering to do it. It's "already known" it cannot be any other way if you see what i mean
[2:31 AM] interested listener 2: Got u
[2:31 AM] interested listener 3: Thanks
After this chat occurred, I noticed that during it, one of the participants suggested I blog this content.
That led to someone recommending by PM that I include some of the tags and project images to help users identify what I'm referring to in this article in general, as something they have seen around steemit already and should check out for themselves as well!
Streemian.com offers useful services to steemit users including post scheduling and other handy offerings. The PAL Minnow Support Project operates as a sort of community and club for new steemit users known as minnows and comes with many benefits to membership for our newer steemit community friends.
So I agreed to do so. I did all this research on my own personal curiosity and was not influenced before doing by anyone. In full disclosure, since doing this, I joined the #MinnowSupportProject member community and I am now a member of the Minnow Support Project club as a full blown newbie minnow with no other connection to the code I audited herein except for professional admiration for a job well done by people who did it for the community, by the community and with only the steemit community in mind.
You can learn more about streemian.com and the P.A.L. Minnow Support Project via the following link and tags:
P.A.L. Minnow Support Project
#minnowsupportproject #minnowsupport
Come join P.A.L. in the discord chat app. Just do a global search at steemit.com for either the #minnowsupport or #minnowsupportproject posting tags to find the latest information and P.A.L. discord channel invite codes.
I hope you found all of this helpful and informative.
Feel free to post any questions, comments, concerns, additional details, or content corrections in the comments below! :D
And with that, this post is finished.
Full steem ahead, steemitizens!
@sircork
PS: Thanks to @NicNas for being the participant who nudged me into finally getting this post put together and published.
PPS: I hate to put him on the spot, unnanounced, but I've been told that @xeroc is the steemit user who can best answer more detailed questions about this system