Sorry, we don't support your browser.  Install a modern browser

Advent of popular third party websites creates an attack vector, make permissioned keys instead#1384


Many of the popular third party websites are requesting that people enter their posting keys for thier accounts. This means these websites have massive amounts of posting keys stored in possibly ways that are unsafe. This makes these services great targets for hackers, and a hack of this sort can bring unwanted press and strife to our game. Not to mention that the posting key gives these websites control over features that are outside of the scope that is intended. The user maybe only wanting to give permissions for renting, but by handing over their key, they gave the website ALL permissions that can be accessed via the posting key.

It would be a good idea to make permissioned keys solely for splinterlands services that limit the damage that can be done should these keys fall into the wrong hands. I doubt many people even have a good way to change their posting keys.

Instead I propose that instead of using the posting key, you can assign keys via customJson command to allow for specific functions to be accessed by the games contracts. For example, you could publish an array of allowed customjson sm_function actions to a specific keyhash, and you can publish a custom json that could allow the revokation of a key.

{id:sm_create_permissions, key: SOMEKEY}

{id: sm_assign_permissions, key: SOMEKEY functions: {sm_market_rent,sm_update_rental_price}}

{id: sm_revoke_permissions, key:SOMEKEY}

This would make it far easier for users to issue specific functionality and recover from potential hacks, without the need to be messing with changing their hive keys.

a month ago

I don’t speak french but it sounds good.

a month ago

I’d just like to update with a thought of how to accomplish this. So when I did the example of somekey, in this case, that key could be the posting key of the service provider.

The general problem being, unless the HIVE software is updated, a user can’t post the custom json to the network without the posting key.

However, if you use the assign and permission key json system described above, then the service providers could simply use it’s own posting key, and the game contract just checks to see if the key is assigned the access.

a month ago

Many of the popular third party websites are requesting that people enter their posting keys for thier accounts

What websites require posting keys rather than integrating with Hive keychain?

16 days ago