What do you think about Keybase.io?

iam trying to get a good alt for wire (because wire storing your contacts in plain text & not encrypt meta data) so i found keybaseio but iam not sure they encrypt metadata or no & its saving my contacts in plain text or no so yeah

SOLVED

https://keybase.io/blog/keybase-chat

What about metadata?

Like with most chat apps, the Keybase servers will see who you’re looking up.

For a given message, Keybase servers know who sent it, approximate size, who the recipients are, and an ID for the channel. All of this is a requirement for performance and (upcoming) mobile notifications.

It’s better than PGP because of many modern crypto best practices, easier and safer key management, and easier and safer identity lookups.

If your biggest fear is hiding whom you’re talking to, none of the apps mentioned on this page are safe unless you’re coming in over Tor, with no info connected to your real identity, in a library or cafe, and wearing a disguise.

1 Like

One purpose of Keybase is to publicly and cryptographically link different accounts of yourself, so third parties can trust all of them if they trust one. The same is true for contacts that are always public. So, your contacts are always publicly visible as soon as you add them or they add you.

However, it isn’t necessary to add people for messaging. You can send messages to any Keybase account.

The Keybase chat is an encrypted alternative to Slack. They don’t try to replace other chat apps like WhatsApp, Signal, Wire, Telegram etc.

Contrary to most state-of-the-art messengers, Keybase chat doesn’t support Perfect Forward Secrecy by default. They added this as an optional feature, called “exploding messages”. Compared with Signal, there is more metadata visible to Keybase servers.

3 Likes

How does Keybase compare to Riot for metadata? Which one would you say is safer? I am not looking to hide the metadata too desperately, so long as conversation contents is fully private/E2EE

Metadata *are important, https://ssd.eff.org/en/glossary/metadata

Do we have a privacytools.io keybase team (I use keybase more than riot)?

2 Likes

This is a great idea

2 Likes

I don’t know about a privacytools.io team, but there is a team called “kb_infosec” and we (InfoSec Handbook) have a team dedicated to InfoSec news called “infosec_news”.

2 Likes

I’m not sure about metadata, but after reading this stuff about riot and matrix, I’m not sure if Keybase can be worse. Aslo, all Keybase messages are encrypted by default, unlike Matrix (Riot) or XMPP

Though for me it doesn’t matter, cause no one I know uses keybase, riot or xmpp. Only 3 family members use Wire, and few colleagues are using Signal.

3 Likes

Can I have an invite?

I don’t think we are going to be officially on Keybase anytime soon, but maybe if there was a Matrix bridge we could try talking @jonah into it.

I am also at Keybase more than in Riot as the app performs better and it somehow made its way as one of the three IM apps I have stating on login.

I am not sure which team you mean, but you can run keybase team request-access kb_infosec and keybase team request-access infosec_news, I am not sure how the graphical way works. Or if you mean a Keybase invite, I don’t know how to find your email address.

I’m not super interested in running Matrix bridges at the moment, especially ones to E2E encrypted apps like Keybase or Wire, because they defeat the purpose of E2EE.

1 Like

You don’t need an invite. Simply join, both teams I mentioned are open for everyone.

Just open the Keybase GUI, go to “Teams” and click “Join a team”. Then you can enter, for example, “kb_infosec” or “infosec_news” to join.

Ah, didn’t realise that they were open to all!

I forgot to say here too that a team was created this morning.

In case you are interested, in other Keybase news it’s part of my team chat PR and for it there is Discussion: Keybase.

2 Likes

thx, but i not need keybase at this time so yeah i not interested but thx :slight_smile:

I use XMPP (Gajim, specifically), and I used to use Riot with some of the members of this site, as a matter of fact, but we switched to Signal a while back. I was unsure if matrix.org was having leakage issues right now…

1 Like

Keybase is encrypted however you need a pgp to encrypt it. In the terminal type:

$ keybase pgp new

This isn’t true, for encryption in the Keybase apps (Chat, Git, File Hosting, etc) Keybase uses device-specific NaCl keys (https://keybase.io/blog/keybase-new-key-model). Keybase doesn’t actually use PGP at all in their own platforms AFAIK. Unless maybe you’re chatting with a really old client, I know they have lots of backwards-compatible code still.

So add or create a PGP key if you want that hosted on your Keybase profile, so non-Keybase users can contact/email you outside of Keybase. But you can rest assured if you contact another Keybase user your chats will be End-to-End encrypted even if they don’t have a PGP key listed on their profile.

3 Likes