undefined | Better HN

0 pointstechntoke7y ago0 comments

Exactly... unless the work is open source, they are just another centralized solution. Reminds me of Telegram.

0 comments

I thought Keybase was open source? Released under the New BSD (3 Clause) License?

The clients are. The platform they all run on top of is centralized, made up its own irresponsibly insecure key handling and crypto protocols, and is proprietary.

nickik7y ago

They didn't make any of their own security, they use very well established open-source security libraries for everything. Stop spreading FUD.

lrvick7y ago

I have researched their approach in great detail and found design flaws in it like: https://github.com/keybase/keybase-issues/issues/1946

A lot of trust is rooted in their centralized proprietary walled garden API and to make matters worse they actually silently bypass hardware security modules in favor of keys exposed to system memory!

They even encourage users to expose their PGP private keys to their browser and didn't even bother to isolate it to a service worker so browser plugins can't steal it (or just supporting hardware tokens which GPG already did just fine)

Almost everything they do is non standard, not interoperable with anything else, not distributed to keyservers. They are the internet explorer of cryptography.

They did this in the name of UX but it turns out you can have super easy PGP UX AND follow standards as OpenKeychain has demonstrated.

Keybase introduced lock-in and their own protocols for problems that did not at all need them. They are 2 steps forward on UX and one huge backwards step for security.

1 more reply

j / k navigate · click thread line to collapse

0 comments

sympodius7y ago

I thought Keybase was open source? Released under the New BSD (3 Clause) License?

lrvick7y ago

The clients are. The platform they all run on top of is centralized, made up its own irresponsibly insecure key handling and crypto protocols, and is proprietary.

nickik7y ago

They didn't make any of their own security, they use very well established open-source security libraries for everything. Stop spreading FUD.

lrvick7y ago

I have researched their approach in great detail and found design flaws in it like: https://github.com/keybase/keybase-issues/issues/1946

Almost everything they do is non standard, not interoperable with anything else, not distributed to keyservers. They are the internet explorer of cryptography.

They did this in the name of UX but it turns out you can have super easy PGP UX AND follow standards as OpenKeychain has demonstrated.

Keybase introduced lock-in and their own protocols for problems that did not at all need them. They are 2 steps forward on UX and one huge backwards step for security.

1 more reply

j / k navigate · click thread line to collapse