On 03/24/2014 11:00 PM, Steve Weis wrote: > Unfortunately, beyond acting as a directory, the keybase.io website > also insecurely offers Javascript crypto in the browser:
I have some other problems with keybase.io. First, the webapp encourages its users to paste their private keys into a browser window which is the wrong way to go IMHO. The success of phishing attacks shows that a large number of users is not able to verify if the site requesting their private key is legitimate or not. And then there is the risk of a compromised browser. The other issue i'm having is the 'tracking' mechanism. The app alerts the user that "tracking is a big deal" and tracking automatically signs the tracked user's key, which is utterly pointless IMO because what am I signing? Every piece of information (Keybase user X is @X on twitter, etc.) is already verfiable through crypto alone. Keysigning is interesting if and only if I have verified the key owner's identity offline. just my EUR 0.02 ~johannes -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
