I must say that this entry disappoints me.
I've been using StellarTerm for two years for checking prices against XLM, and I've been hoping for delegated signing to be implemented for a while. Yet, on this matter, StellarTerm seems to do everything the wrong way.
We appreciate the honest feedback and I understand that using the software for a long time may create a strong emotional connection to it.
But still it is surprising to see this kind of response for the presented roadmap - it's not that revolutionary after all.
Our goal is to continue improving StellarTerm, one step at a time. And most of our users think we are doing a decent job.
We are always open to hear the ideas for new features for StellarTerm, we receive a significant portion of them from users.
They typically do this through issues on Github or just email at email@example.com. Feel free to suggest new things as they come to mind - no need to wait!
I have to say, support for delegated signing has not been on the top of the list.
We understand that it may be useful for some cases, but there are only so many things we can work on at the same time!
So it might be a while until this fully lands in StellarTerm, unfortunately.
However, we do have something already. StellarTerm had the support for Ledger for a while, and we are planning to add more hardware wallet integrations soon.
We are proud to be the only non-official product that is being recommended by Ledger itself:
(Quite an achievement for a project with a broken security model...)
However, for most of our users, StellarTerm is the place where they want to make their trades, payments and sign transactions.
To be clear, we believe that more often our users would want to have some of their transaction requests made by external services handled by StellarTerm, rather than vice versa.
That's why we offer to register StellarTerm as a handler for SEP-0007, and this is completely optional for our users.
To address your point about security of pasting private keys on the website:
- StellarTerm has the secret phrase which protects our users from entering private keys on fake websites.
- We promote multi-signature as much as we can, and StellarTerm has the leading multi-signature support for Stellar. With the multi-signature enabled, leaking your master private key will cause only a mild inconvenience, as you'll need to create a new wallet and move your funds there to restore the high security level.
- StellarTerm comes with a desktop version, which is rather popular for our users. It provides an additional level of security, as the code is not downloaded over internet each time.
So, I would argue that StellarTerm provides at least the same level of security as other popular online services which ask for a secret key (Stellar Account Viewer, Stellar Laboratory, MyEtherWallet, etc).
Also going forward, I would prefer this conversation to be more professional, and tone down on the emotions - I'm hoping for your co-operation on it! Our content person was a bit confused to be called dude 🤷♀️btw.
Finally, not doubting your skill level, but would love to see those 3 lines that read the clipboard content.
I'm assuming you mean you can do this in the modern browser environment, without any interaction of the user?
Maybe even while user is doing something entirely different in the system (like working in a MS Word)?
That sounds very dangerous, the last time I checked it was not possible:
So, please - I'm hoping to see you back in this thread. That would be a learning experience for many readers. Who knows, we might even have to escalate this to the teams working on the browser security, because it contradicts the official documentation!