[liberationtech] keybase.io
James Moore
hello at jmoore.me
Tue Mar 25 12:02:01 PDT 2014
On Mar 25, 2014, at 7:58 AM, Johannes <johannes at weltraumpflege.org> wrote:
> On 03/24/2014 11:00 PM, Steve Weis wrote:
>> Unfortunately, beyond acting as a directory, the keybase.io website
>> also insecurely offers Javascript crypto in the browser:
>
> I have some other problems with keybase.io. First, the webapp encourages
> its users to paste their private keys into a browser window which is the
> wrong way to go IMHO. The success of phishing attacks shows that a large
> number of users is not able to verify if the site requesting their
> private key is legitimate or not. And then there is the risk of a
> compromised browser.
>
> The other issue i'm having is the 'tracking' mechanism. The app alerts
> the user that "tracking is a big deal" and tracking automatically signs
> the tracked user's key, which is utterly pointless IMO because what am I
> signing? Every piece of information (Keybase user X is @X on twitter,
> etc.) is already verfiable through crypto alone. Keysigning is
> interesting if and only if I have verified the key owner's identity offline.
>
> just my EUR 0.02
There’s an active conversation about their tracking feature happening at
https://github.com/keybase/keybase-issues/issues/100
James
More information about the liberationtech
mailing list