[liberationtech] keybase.io
Johannes
johannes at weltraumpflege.org
Tue Mar 25 07:58:43 PDT 2014
On 03/24/2014 11:00 PM, Steve Weis wrote:
> Unfortunately, beyond acting as a directory, the keybase.io website
> also insecurely offers Javascript crypto in the browser:
I have some other problems with keybase.io. First, the webapp encourages
its users to paste their private keys into a browser window which is the
wrong way to go IMHO. The success of phishing attacks shows that a large
number of users is not able to verify if the site requesting their
private key is legitimate or not. And then there is the risk of a
compromised browser.
The other issue i'm having is the 'tracking' mechanism. The app alerts
the user that "tracking is a big deal" and tracking automatically signs
the tracked user's key, which is utterly pointless IMO because what am I
signing? Every piece of information (Keybase user X is @X on twitter,
etc.) is already verfiable through crypto alone. Keysigning is
interesting if and only if I have verified the key owner's identity offline.
just my EUR 0.02
~johannes
More information about the liberationtech
mailing list