Follow

Keybase: Some people state that they will never use Keybase since everybody is forced to upload their private, secret GPG keys. This is a myth …

Since 2015, Keybase solely relies on per-device NaCl keys:

keybase.io/blog/keybase-new-ke

NaCl was created by cryptologist Bernstein, who is also known for Curve25519:

nacl.cr.yp.to/

You don't need to upload any secret GPG keys. You can even use Keybase without uploading any GPG key.

@infosechandbook
The real reason is that it's a proprietary, centralised source of trust.

@cathal @infosechandbook The _real_ real reason is that keybase is an excellent intelligence source and you shouldn't have to give up privacy for security: github.com/kpcyrd/sn0int/blob/ #infosec #osint

@sn0int @cathal

The whole point of Keybase proofs is to cryptographically link _already public_ information. Keybase isn't the "leak" in this scenario, and the links are there on purpose.

Besides, tools like theHarvester allow you to extract the same info from "traditional" GPG key servers where you can't delete your keys, and others can upload fake keys.

Moreover, you can perfectly use Keybase without uploading any GPG keys or linking accounts.

@infosechandbook @cathal

#sn0int (which is somewhat similar to theHarvester but has some more advanced features) uses pgp keyservers as well but since hkp is just an awful search engine over unverified RFC-4880 packets we're getting very mixed results (as you pointed out).

The point is that keybase is pushing the web of trust agenda (which is inherently anti-privacy) in the name of security. The results are false-positive free by design and proofs are searchable in both directions. (1/2)

@infosechandbook @cathal

(2/2) It's a complicated trade-off, but that kind of intel is worth actual money. A lot of people are not aware that #security can contradict #privacy.

We strictly believe that blaming the user is the wrong approach, asking a user to publicly link accounts together is a very dangerous suggestion and security people endorsing a service that behaves in this way is even more problematic. #infosec #osint

@infosechandbook you can even just upload your personal public key, that way people can still use your keybase profile to encrypt messages to you

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.