Keybase extension brings end-to-end encrypted chat to Twitter, Reddit, Github

Discussion in 'privacy technology' started by Minimalist, May 25, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://threatpost.com/keybase-extension-brings-end-to-end-encrypted-chat-to-twitter-reddit-github
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That is very cool! You don't need to "have" my public GnuPG key, or even know where to get it. Because Keybase provides and verifies it.

    On the other hand, there's the risk that the extension would also encrypt to a malicious key. Which would allow Keybase or another adversary to read messages. But then, Enigmail could also be going that ;) Someone ought to check, in any case.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    You will NEVER know unless you encrypt locally and then transmit.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Truth :)

    Another advantage: You can not disclose which key(s) it's encrypted to.

    Code:
    --hidden-recipient name
    
    -R     Encrypt  for user ID name, but hide the key ID of this user's key.
           This option helps to hide the receiver of the  message  and  is  a
           limited countermeasure against traffic analysis. If this option or
           --recipient is not specified, GnuPG asks for the  user  ID  unless
           --default-recipient is given.
    It's too bad this isn't an Enigmail option. You can set a particular hidden recipient in the GnuPG config file, but not (unless I've missed something) the use of hidden recipients generally, by default.
     
    Last edited: May 27, 2017
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,938
    Location:
    UK
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yeah, this is bad :(

    The Chrome/Firefox extension is labeled as "NEW" on the download page. If these allegations are correct, it ought to be clearly labeled as "insecure".

    I'm quite disappointed in Keybase. They have not handled this at all well :(

    And BTW, I also don't like the option of uploading private keys. I mean, no sane person would ever do that. It's not that hard to copy keys to multiple devices, if that's really necessary for your work flow. Me, if I used mobile devices, I'd use dedicated keys, because those things are so readily pwned.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.