Keybase, the company that asks you to upload your private keys to their servers, has just been acquired by Zoom, an essentially Chinese company notorious for having terrible concepts on how encryption should be implemented.
Even if you gave Keybase the benefit of the doubt beforehand, this is corporate suicide at it's most graphic. Delete your Keybase keys. Close your account. Rotate everything that Keybase touched, be that password or cryptomaterial.
π³π±
@kline They only have access to my public keys. They give an option for you to retain your own private key. In this configuration it is perfectly safe and provides a useful service to retain it.
Not happy with zoom aquiring them but until it poses a security risk or until an alternative comes online its usefulness will cause me to continue to keep my account.
@freemo there's no way for other users to identify if they have anything more than your public key.
I can't communicate with anyone who uses Keybase with a given public as I can't verify ahead of time if they uploaded the private key or not.
It might be safe from your point of view looking out, but not for others looking in.
They dont do it "unencrypted" but i can attest that giving them your private key so they can encrypt things for you server side is an option. Though you also have the choice to not upload the private key which means you can still do all the same operations but the commands are a bit more complicated, so people are sometimes compelled to give them your private key instead.
You will see the option if you try to setup a new account or new key.
If you really need proof here is a github issue pointing out the private key upload:
https://github.com/keybase/keybase-issues/issues/160
Here is an article discussing it:
https://blog.filippo.io/on-keybase-dot-io-and-encrypted-private-key-sharing/
