Refresh our memory on what we learned in 2017/2018, which ultimately led to us removing that "feature" from our web platform (redd.it/8wenmw) and started an effort to get other projs to remove this antipattern.
Tweet thread will be for DeSo but other projs take note
First, let's start with what DeSo is and isn't, so we can describe its potential scope to users.
DeSo itself is a L1 blockchain, however it offers an identity solution on its subdomain with a public code lib that apps can use to help user onboarding
The social implications are worse as it is teaching people to type their secrets into a website for authentication, smth that bad actors will capitalise on (and they still do from when the tech was still new and this pattern was "normal" in 2016..2018)
Users will become accustomed to "oh its fine with DeSo, so I'll do it here" and it will create a very bad expensive habit for your end-users.
Your persistent locally stored data will be safe with DeSo, until it isn't.
Asking for raw secrets on a website is not needed, especially with the tech/packages we have today
Web3Modal (@pedrouid) has a lot of out-of-the-box providers to allow for external trusted-battletested key management solutions to be implemented into app
But DeSo is not the only project that has done this, but they do seem to be the only project that is doubling-down on their antipattern of allowing raw secrets on the web
For Ex. Kyber removed this feature when the community pointed out it was a bad idea
I urge the community to shine the spotlight on any and every project that allows this antipattern - we aren't doing anyone any favours enabling this type of convenience to end users.
@nadertheory I am more than happy to give you data to help you change your mind on this stance
hehe 😇 it all makes sense now
DeSo = ✨ Don't Ever Sign On ✨
• • •
Missing some Tweet in this thread? You can try to
force a refresh