Keybase, the company that asks you to upload your private keys to their servers, has just been acquired by Zoom, an essentially Chinese company notorious for having terrible concepts on how encryption should be implemented.
Even if you gave Keybase the benefit of the doubt beforehand, this is corporate suicide at it's most graphic. Delete your Keybase keys. Close your account. Rotate everything that Keybase touched, be that password or cryptomaterial.
π³π±
@kline They only have access to my public keys. They give an option for you to retain your own private key. In this configuration it is perfectly safe and provides a useful service to retain it.
Not happy with zoom aquiring them but until it poses a security risk or until an alternative comes online its usefulness will cause me to continue to keep my account.
@freemo there's no way for other users to identify if they have anything more than your public key.
I can't communicate with anyone who uses Keybase with a given public as I can't verify ahead of time if they uploaded the private key or not.
It might be safe from your point of view looking out, but not for others looking in.
@kline That protection is done the same way it is done with any compromised key. If the issuer happened to give keybase their private key at some point then it is expected that now that the user knows their key is compromised that they revoke their key. Just as you would expect if the key was stolen through other means.
Using a persons key means you trust the user is responsible with the security of their key. If you trust someone handles their private key securely then you can also trust their identity on keybase is secure. If you do not trust they handle their key securely (dont give out their private key) then you can't trust their identity anywhere, not just keybase.
@freemo for me, a pubkey being in keybase is something I now consider irresponsible.
Until now, you could balance it and give them the benefit of the doubt, but now that balance is thoroughly disrupted.
An encryption enthusiast might have considered it worth the risk, assuming the benefit of the doubt, but I think that it's no longer safe to do so, even if there are second-class modes in which keybase can be used less-unsafely.
@kline That makes no sense to me. There is nothing remotely unsafe on any level about a public key being in keybase. They are public by their very nature, keybase has access to your public key whether you want it to be or not.
We arent talking about a less-unsafely mode, we are talking about a 100% secure and safe mode. There is no risk of any kind in distributing a public key and even if you dont distribute it explicitly it is publicly accessable anyway.
@freemo If I see that someone's pubkey is in keybase, how can I verify that their privkey is not?
