[liberationtech] keybase.io
Steve Weis
steveweis at gmail.com
Mon Mar 24 15:00:53 PDT 2014
On Mon, Mar 24, 2014 at 2:03 PM, David Berry <dmberry at gmail.com> wrote:
> Is anyone familiar with:
>
> https://keybase.io
>
> It looks like an interesting project and the idea of a database of public
> keys is definitely a good one... or is it?
As a public key directory, the state of the art is essentially
pgp.mit.edu. Almost anything is a usability improvement.
Unfortunately, beyond acting as a directory, the keybase.io website
also insecurely offers Javascript crypto in the browser:
"Keybase.io is also a Keybase client, however certain crypto actions
(signing and decrypting) are limited to users who store
client-encrypted copies of their private keys on the server, an
optional feature we didn't mention above. On the website, all crypto
is performed in JavaScript, in your browser. Some people have strong
feelings about this, for good reason."
Users who use this feature risk revealing their plaintext and private
keys to Keybase.io or to an attacker who finds an XSS exploit in
Keybase.io's site.
More information about the liberationtech
mailing list