This may be slightly off topic to key validation, but imho the ugliest part of keybase is the URL paths. For example, I may have reigstered github.com/user1 and keybase.io/user1, but an attacker may control twitter.com/user1.
I believe many users will believe twitter.com/user1 == github.com/user1 . I was able to do a similar attack previously and impersonate one of the keybase founders. E On Tue, Sep 9, 2014 at 12:43 PM, Tony Arcieri <[email protected]> wrote: > On Tue, Sep 9, 2014 at 9:33 AM, [email protected] <[email protected]> wrote: > >> Keybase uses tweets and Gists instead of bios because they are >> timestamped unlike bios. >> > > It also has the effect of driving you to the Keybase site to obtain > fingerprints, as users are publishing signatures under an unknown key > (which is weird and a bit gross) > > -- > Tony Arcieri > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > >
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
