Keybase - public key based secure chat

Post details of freeware that are found to be not portable here. Posts in the submissions forum relating to freeware found to be not portable should also be moved here.
Post Reply
Message
Author
User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Keybase - public key based secure chat

#1 Post by webfork »

Edit: Due to issues on my Win7x86 machine (described below), I recommend against using this program.

--

Another cross-platform, secure chat program, this time based on PGP. The main things that look interesting about are a more hands-on approach to public keys (more secure)and the file sharing. They also seem to be very ambitious: https://keybase.io/blog/keybase-chat .

Websites:

https://keybase.io/
https://github.com/keybase
http://www.softpedia.com/get/Internet/C ... base.shtml

License: BSD 3 clause. I'm not clear on why this is "PGP" (commercial) vs. GPG (open source).

Status: untested, but this issue seems to suggest it's not portable, discussing something saved to appdata: https://github.com/keybase/client/issues/6688

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Keybase - public key based secure chat

#2 Post by webfork »

Update is out for this ... now at 1.0.30.1046 but I couldn't find a changelog.

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Keybase - public key based secure chat

#3 Post by webfork »

Update:

So I've installed the program and so far seems to work well. It looks and behaves a lot like a more secure version of Slack or Stride (formerly Hipchat trying to mimic Slack). The primary selling point here is actually encrypted communications (and not just a secure connection to a server somewhere). What I found was after-the-fact obvious as they sort of advertise that approach on their front page:
keybase.io wrote:Keybase is for anyone. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. Or a Team Dropbox where the server can't leak your files or be hacked.
As to the GPG part, you can generate or import one in your profile (odd place to put that) but I couldn't figure out where the public/private keypair went C:\Users\USER\AppData\Local\Keybase\secretkeys.KEYBASEUSERNAME.mpack

Pros:
  • Definitely an active project, if the Github page is any judge https://github.com/keybase/client
  • Probably the first simple and team-centric tool that embraces security by default. I've messed with a lot of simple programs for teams and a lot of security-enhanced programs for teams, but never both.

Cons / Questions: (yes, some of the answers below are on Twitter but no, that's not really the way to address them)
  • Yet another Electron-based app taking up 150+ megs of RAM across 5 processes, which is just unnecessary
  • Standard security concerns for "secure" programs:
    • Relies on a remote server
    • Unclear business model
    • Code audit?
    • No mention of the efail vulnerability and if Keybase is affected
    • What happens if - like Telegram - someone uses this in a way a state actor doesn't like
  • Not clear whether or not this is PGP-based when the program doesn't generate a key by default
  • Not real clear on how "following" someone works. Is this a Twitter thing?
Status: Not portable. I tried a few tricks but it doesn't know what to do outside of the AppData folder. Tested: v1.0.48.11 in Win7x86

---

Edit: oh and there are profile pages where, if you're logged in, you can send secure messages. https://keybase.io/username

Edit 2: The program doesn't actually quit, it just haunts your taskbar. I had to go through the Task Manager to get it to quit.

User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Keybase - public key based secure chat

#4 Post by Midas »

This might (or not) be relevant here, but I reckon it should be posted somewhere...

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Keybase - public key based secure chat

#5 Post by webfork »

Midas wrote: Wed May 23, 2018 3:56 am This might (or not) be relevant here, but I reckon it should be posted somewhere... Attention PGP Users
Yeah that was what the "efail" bit was about. Keybase is not super clear about that but, having looked at the issue and how it's triggered by a rather specific set of circumstances in exchanged HTML, I'd be surprised if Keybase was vulnerable.

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Keybase - public key based secure chat

#6 Post by webfork »

Update: Keybase does something that's generally a big red flag for me: auto-launches at startup and has problems closing unless you end-task it. Worse, the autolaunched icon in my tray won't even open the program. This software is not ready for general use.

Post Reply