On Mar 25, 2014, at 7:58 AM, Johannes <[email protected]> wrote:
> On 03/24/2014 11:00 PM, Steve Weis wrote: >> Unfortunately, beyond acting as a directory, the keybase.io website >> also insecurely offers Javascript crypto in the browser: > > I have some other problems with keybase.io. First, the webapp encourages > its users to paste their private keys into a browser window which is the > wrong way to go IMHO. The success of phishing attacks shows that a large > number of users is not able to verify if the site requesting their > private key is legitimate or not. And then there is the risk of a > compromised browser. > > The other issue i'm having is the 'tracking' mechanism. The app alerts > the user that "tracking is a big deal" and tracking automatically signs > the tracked user's key, which is utterly pointless IMO because what am I > signing? Every piece of information (Keybase user X is @X on twitter, > etc.) is already verfiable through crypto alone. Keysigning is > interesting if and only if I have verified the key owner's identity offline. > > just my EUR 0.02 There’s an active conversation about their tracking feature happening at https://github.com/keybase/keybase-issues/issues/100 James -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
