HiveSigner is INSECURE? - discussion and deep dive
hive-139531·@ecoinstant·
12.191 HBDHiveSigner is INSECURE? - discussion and deep dive
There was some discussion about HiveSigner, and someone said it was "secure". I think its QUITE INSECURE, and I said as much. I got some pushback, which motivated me to make this post - by the way, this is how discussions happen. We can all (probably) agree that discussions are good, so we shouldn't feel bad about disagreeing. The basic argument is, people who are not quite sure how it works, think its secure, and are sure that anyone saying its not, is spreading disinformation. Like this comment from @tibfox this morning:  Notice the use of "as far as I know". I am spreading disinformation, because "as far as someone knows", HiveSigner is fine, it must be fine, we are pretty sure its fine, because its still around, and if it wasn't fine, someone would say something. Except whenever someone says something, we are just assured that "as far as I know", its secure and safe and wonderful. ## Trust me bro The words "secure", "safe", "valid" - they are adjectives. Technically, they don't mean much, and it might be the case that one part of an app is totally "safe", and another part completely "dangerous". We should probably define our terms, talk about the reality, go through the app - and talk about it. That is what I plan to do today. To go through all the UNSAFE, INSECURE and INVALID parts of HiveSigner that I clearly see - on my screen, right in front of my face, every time I have the displeasure of finding myself interacting with HiveSigner. These things could be fixed, and that would make HiveSigner MORE secure, more safe, and more valid. So come along with me to "hive.vote", and once we get there - hit "login" and we are taken to this page.  For security, I have created a new account using our new [account creation tool](https://rc.thecrazygm.com/claim-account), which one of these days I will get around to announcing - I like it because I get to pick my master password, which is fun.  Now let's go ahead and use our memo key, some might say this is the least worrisome, or "most secure" key, and it is clearly *recommended* by HiveSigner - and see what happens.  It doesn't like the memo key - now it tells me I should use the *master password* or AT LEAST the posting key, whatever that means. Very safe and secure, the instructions have changed half way through. Okay, well, let's try that posting key then. According to the page we are using, HiveSigner just wants to "see our current account username". Super safe and secure experience for users.  So we go back to our txt file and copy the private posting key, put it in and we do get to log in to hive.vote. I tested the owner key, it actually does work to log in, as well as the master password. They work to log in with! Just the memo key is a lie, on this page. So now we are into hive.vote - the only autovoter left in our ecosystem, and we have this wonderful message:  Very cryptic stuff, but this article is not about how hive.vote is garbage, but we must once again use hivesigner to add "posting authority". Now you can do that here https://thecrazygm.com/hivetools/account/authority, if you have Keychain browser extension or Keychain Mobile App, but assuming we don't have that, let's try to use HiveSigner again. The trick is here, that changing authorities, even posting authorities, is an active key transaction. Let's see what HiveSigner says:  This was actually a pleasant surprise to me, I believe this has been updated since the last time I raged against this app, but it correctly informs us that we will be required to put in our active key (since we have only logged in with posting key). While playing around, I also confirmed that if you log in with owner key or master password (probably active key too), it will just let you click authorize. We can assume that these things are "just" stored in our browser cache, since I was able to delete them (which by the way is NOT a secure place to put keys unencrypted, anyone remember the recent Leo fiasco with browser stored keys?), but its also not really a great idea to assume things about key management either. So now I hit continue and get....  Hmmmm, this is not quite expected, a little unclear, but I guess we need to "Add another account"?  ## Welcome back! And we are back to our good old friend, the "add any key to get scolded" page. Sure, we were told that we would need "at least" the active key (by the way, I don't think four different keys are necessarily in an order, or if there is an order, its somewhat subjective), but once again we are being recommended options including MEMO KEY (which never works for anything) and Posting Key - which we already know is "not enough", and won't work. So for fun I added my Owner Key, and we are taken back to the option to authorize the app.  Once we click authorize, we are quickly flashed a screen that explains we have given posting auth to 'steemauto', and redirected back to Hive.Vote. I was a little surprised that I could sign authority operations with owner key, but I guess it is possible, so I am learning something today. After all, its THE FIRST recommendation of HiveSigner (but at least it works, unlike many of its other front page instructions). ## What's in the browser?  So by navigating around in my Opera GX browser, and learning a few things along the way, I was able to find my private Owner key in the Local Browser storage. I am actually not sure how secure this is, so I just asked google, here is what google says:  ## Tell me I am a crazy disinformation spreader, but suddenly I don't feel like "trust me bro" "as far as I recall its secure" is a good enough answer; I don't feel safe or secure - in fact, people also ask:  ## @good-karma? I want to be clear, I like (and "trust") @good-karma, who (as far as I know), is in charge of making sure HiveSigner keeps working, as a legacy piece of software. And he has done that. I don't think he is phishing keys or in any way would host or build something that would actually BE an attack vector. But that doesn't mean that this piece of software he inherited is GOOD, or safe, or secure or valid. HiveSigner - in my humble opinion - is not only confusing and uncomfortable, based on my deep dive today - seems literally INSECURE, and UNSAFE. Please stop insisting that it is safe and secure because someone told you it was. And since I did reveal them here, I guess I will go ahead and change my keys now, using our amazing, and actually safe and secure, [best key changer for HIVE](https://keys.thecrazygm.com).  Go ahead and let me know what you think, in the comments below. ## Freedom and Friendship
👍 condigital, dbooster, tronsformer, zuun.net, stortebeker, moeenali, sshappydayz, smartvote, torran, neoxianvoter, roleerob, bala41288, joeyarnoldvn, yameen, pakx, d-zero, eii, michael561, balaz, doze, kanibot, kamaleshwar, chandra.shekar, kannannv, mary.janikowski, emsenn0, pof.pimp, pimp.curator, vipservice, omra-sky, johndoer123, artsygoddess, canna-collective, bala-ag, bilpcoin.pay, stoodkev, cedricguillas, stoodmonsters, mimi.ruby, zeusflatsak, ganjafarmer, enginewitty, aequi, eds-vote, ifhy, definethedollar, steembasicincome, improv, stonergirls, elderson, greenunion, teampdx, teamoregon, ganjafarmers, zydane, vaporrhino, martial.media, woodathegsd, boeltermc, caelum1infernum, ganjafrmer, sbi2, aagabriel, solairitas, bala-leo, penguinpablo, rumplestiltskin, katrina-ariel, monchhichi23, lunamoon, khaldeesi, freyamber, allied-mafia, christmasclub, birthdaywishes, wittys.angels, wittysangels, bellelynn, b34w0lf, timmy-turnip, willendorfia, karina.yana, strangedad, steemitcomics, anomallies, cryptonized, psyborg, antdroid, hazem91, sbi3, steemforschool, steemforschools, angeltree, angiel, sassafrass, swearingradio, coolguy123, jilt, ifarmgirl, noctury, sbi4, wenchebakken, mythix, mythix.market, mythix.token, stinawog, anikys3reasure, awesomegames007, piestrikesback, buildingpies, dachcolony, sbi-tokens, qwertm, tub3r0, eolianpariah2, briefmarken, alexicp, sbi5, shauner, adulruna, funnyman, onepercentbetter, sbi6, synergized, hungrybear, solairibot, mmoonn, sbi7, ifarmgirl-leo, noloafing, matschi, dreimaldad, urtrailer, sneakyninja, netzisde, bububoomt, sbi8, blue.rabbit, dannewton, deggial, sbi9, jacuzzi, hive-189742, curatorcat.pal, dr-animation, sbi10, jlsplatts, foodfightfriday, kuku-splatts, splatts, w-splatts, xchng, killerwhale, x40l1n, newigennity, w1tty, nism, thetradecenter, blemish, sidekicker2, hoosie, weirdheadaches, tokengesture, steem-holder, thesummoner, r-e-d, lord-of-the-d, steemforsteem, toonuts, twonuts, letlove, itwasme, theblooded, blooded, theclan, youdo, bi0digital, earthsea, tokencav, gamer00, pixelfan, neoxvoter, silvergoldbotty, chain.games, publicview, dr460n3y3, vetfunding, dantrin, dab-vote, sports.power.bot, avataroflife, diannever, jozefkrichards, steinz, willkomo, spinvest, eddie-earner, dailydab, spi-store, kiemis, underground, samsemilia7, darklands, votebebi.skull, djccdigital, roswelborges, happyskull, alto96, clubvote, snook, mengao, coltdelegation, mes, kissi, idig, aafeng, build-it, oredebby, letalis-laetitia, anonymousman1, osomar357, marsupia, viking-ventures, ryosai, vocup.pob, powpow420, ana-maria, vocup, melibee, tuisada, cryptodom151, karla129, bajadera, jorgebgt, marpasifico, vicky-o, rosauradels, bntcamelo, dalz, freebornsociety, piotrgrafik, kittykate, legionsupport, wearelegion, stickupcurator, onezetty, shanibeer, blocktunes, blackmiuria, ladyaryastark, pardinus, olympicdragon, hispapro, eonwarped, elisonr13, ubikalo, reciclajeymas, larryparra, abgrobert5, arzkyu97, petrarodriguez, racarjoal, abneagro, javikun, carmenm20, evagavilan2, jesuspsoto, apeboy, alvarezjessica, hexagono6, caribayarte, yeidelyt, ele.art, brujita18, iegg, not-here, alan8a, gercripto, blesker, flywithmarlin, edgarlopz241, mariiestefania, cumanadigital, verdeayer, luisanab, suisver, cjrcast, marcospioficial, enfocate, risckylu, jordangerder, maryelin, zulfrontado, saravm82, jennyzer, graciadegenios, georgelys, lqch, lespecial17, issymarie2, krrizjos18, yenmendt, beysyd, ferbu, fabianar25, mairimgo23, franvenezuela, mcookies, susurrodmisterio, crisch23, yennysferm71, ricardoeloy, universodaniel, eollarvesm, hispaliterario, fotlala, kathajimenezr, edgardsaxo, lisbet, torre-alba, isagutierrez, almadepoeta, guarenases, cfreitez, manuelmusic, marijo-rm, yonnathang, edfer18, enyusael, hiversbqto, liberius-1, ruthmarquez, zackygamer, yunesyunesarte, luisestaba23, gerardosahagun, capp, dstampede, nathanpieters, juanmanuellopez1, belkisa758, janettyanez, esthersanchez, victartex, lycan1703, miguelstar, foxlatam, ichheilee, dd1100, jerusa777, tsnaks, novacadian, cryptoniusrex, pravesh0, rc-assist, gaurav.art, bemier, fun.pravesh0, logen9f, eforucom, antisocialist, yayogerardo, jesustiano, likedeeler, shahzaibad, holoz0r, tydynrain, seki1, artlover, shmoogleosukami, waffleuncle, imoogin3v3rm0r3, imoog1en3v3rm0r3, sopel, fjworld, borislavzlatanov, hive-134220, techcoderx, onelovedtube, silasvogt, gaborockstar, bishoppeter1, happymichael, originalmrspice, mrchef111, darkfuseion, gisi, illuminationst8, joeytechtalks, brettblue, toddmck, melor9, icepee, dlike, cowboysblog, iamangierose, zeruxanime, reyn-is-chillin, techstyle, aletoalonewolf, gabbyg86, humanearl, bigbos99, iamleicester, neeqi, sku77-poprocks, crowbarmama, brainpod, smacommunity, st3llar, adventuroussoul, jeronimorubio, raoufwilly, shermanedwards, gray00, amymya, openmind3000, tonysayers33, aperterikk, tecnotronics, anderssinho, miosha,