You are viewing a single comment's thread from:

RE: HiveSigner is INSECURE? - discussion and deep dive

in HiveDevs11 days ago

I remember hearing talk about making it that at the blockchain level hive nodes will reject transactions that use of keys far above the permissions required. like using owner to sign active key transactions, I'm not sure if it's already in effect though.

One reason HiveSigner asks for the master password is it is a quick way to import all keys since all keys are derived from said password but still I wouldnt even do that. I'd rather take the time to import each one.

Now here's a question.. How does one clear your keys from your local storage if you previously used hivesigner?

Since I hardly use it I'd prefur to not have my keys sitting there potentially insecure.

I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!

11 days ago in HiveDevs by
100%
    -100%

      Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

      • Disagreement on rewards
      • Fraud or plagiarism
      • Hate speech or trolling
      • Miscategorized content or spam

      Submit
      0.00 ARCHON
        5 votes
        Reply 3
        Sort:  
      • Trending
        • [-]
         11 days ago 

        So I can go to manage site data in this browser, and it allows me to delete it.

        The one thing I didn't test is, if I "save and encrypt", can I still clear it from my local cache? If not, where does it "go"?

        image.png

        100%
          -100%

            Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

            • Disagreement on rewards
            • Fraud or plagiarism
            • Hate speech or trolling
            • Miscategorized content or spam

            Submit
            0.00 ARCHON
              1 vote
              Reply
              [-]
               11 days ago 

              I've noticed something, when not logged into hivesigner, the keys are not in local storage, I assume they are elsewhere encrypted with the password you set up on hivesigner. It's only if you are logged in to hivesigner are they exposed.

              So as long as you haven't logged in on a compromised device or browser you 'should' be fine. But this does beg the question I think all extensions can access local storage data if enabled so there is also potential for malicious action there too.

              I generally have my browser extensions restricted to certain sites so I'm fine there.

              There also is no way to actually sign out of hive-signer except by probably closing the complete browser.

              Donno if the local storage is ever accessible besides the site being open in a tab.

              You can actually remove accounts from hivesigner via hivesigner which is the best way to go about it I think.

              I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!

              100%
                -100%

                  Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

                  • Disagreement on rewards
                  • Fraud or plagiarism
                  • Hate speech or trolling
                  • Miscategorized content or spam

                  Submit
                  0.00 ARCHON
                    8 votes
                    Reply
                    [-]
                     11 days ago 

                    Fantastic followup investigation!

                    100%
                      -100%

                        Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

                        • Disagreement on rewards
                        • Fraud or plagiarism
                        • Hate speech or trolling
                        • Miscategorized content or spam

                        Submit
                        0.00 ARCHON
                          Reply