Keybase, the company that asks you to upload your private keys to their servers, has just been acquired by Zoom, an essentially Chinese company notorious for having terrible concepts on how encryption should be implemented.
Even if you gave Keybase the benefit of the doubt beforehand, this is corporate suicide at it's most graphic. Delete your Keybase keys. Close your account. Rotate everything that Keybase touched, be that password or cryptomaterial.
๐ณ๐ฑ
@kline They only have access to my public keys. They give an option for you to retain your own private key. In this configuration it is perfectly safe and provides a useful service to retain it.
Not happy with zoom aquiring them but until it poses a security risk or until an alternative comes online its usefulness will cause me to continue to keep my account.
@freemo there's no way for other users to identify if they have anything more than your public key.
I can't communicate with anyone who uses Keybase with a given public as I can't verify ahead of time if they uploaded the private key or not.
It might be safe from your point of view looking out, but not for others looking in.
They dont do it "unencrypted" but i can attest that giving them your private key so they can encrypt things for you server side is an option. Though you also have the choice to not upload the private key which means you can still do all the same operations but the commands are a bit more complicated, so people are sometimes compelled to give them your private key instead.
You will see the option if you try to setup a new account or new key.
I was using the term encrypt rather loosely (and yes even incorrectly)... they us it to sign and decrypt if you want to get technical.
Either way your arguing about a point that isnt in debate. You can go to the site yourself and easily see the option to upload your private key on signup if you wish.
They could have changed it maybe if your saying you didnt see it. But when I signed up providing your private key was certainly an option.
The issue is that the encryption relied on trust that the server side wont store your password and decrypt it without your permission, just as you trust a website you use wont store your password plain text.
Since the entire system is proprietary that just doubles the concern.
so trust is very much an issue should you happen to have uploaded your private key.
