On Mon, Mar 24, 2014 at 2:03 PM, David Berry <[email protected]> wrote: > Is anyone familiar with: > > https://keybase.io > > It looks like an interesting project and the idea of a database of public > keys is definitely a good one... or is it?
As a public key directory, the state of the art is essentially pgp.mit.edu. Almost anything is a usability improvement. Unfortunately, beyond acting as a directory, the keybase.io website also insecurely offers Javascript crypto in the browser: "Keybase.io is also a Keybase client, however certain crypto actions (signing and decrypting) are limited to users who store client-encrypted copies of their private keys on the server, an optional feature we didn't mention above. On the website, all crypto is performed in JavaScript, in your browser. Some people have strong feelings about this, for good reason." Users who use this feature risk revealing their plaintext and private keys to Keybase.io or to an attacker who finds an XSS exploit in Keybase.io's site. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
