![]() ![]() Initially, I planned to take a closer look at the crypto in Keybase, to see whether I can find weaknesses in their implementation. But as experience shows, the claim “end-to-end encryption” doesn’t automatically translate into a secure implementation. As to the app itself, it might be secure. The only advise I can give you: uninstall the Keybase browser extension ASAP. But we don’t care enough to make it secure.” And now? I translate this as: “We will keep pushing this extension because it gets users to promote our app for free. It’s such a minor feature for us, it’s not worth a fix. I translate this as: “Using iframes required a slightly more complicated approach, so we couldn’t figure it out.” Also: There were technical reasons why iframes didn’t work, though I forget the details This would prevent both the website and other extensions from accessing it. Avoiding it is fairly easy, by isolating all of the extension’s user interface in an element. But let’s say that it really is “the social network acting fishy,” how are you supposed to know? And is Facebook spying on you “fishy” or just its usual self? Trouble is, malware affecting the browser will affect the Keybase app just as well, so the advise makes no sense. First of all, “browser is compromised” to me sounds more like malware. Or send a quick hello note through the extension and save the jucier private details for inside the app. If you fear your browser or the social network site’s JavaScript has been compromised - say by another extension or even the social network acting fishy - then just compose the message inside the Keybase app directly. The Keybase extension uses a compose box inside your browser. What does Keybase think about this?Īccording to Keybase, “this is all clearly described on the install page and is known.” In fact, close to the bottom of that page you find the following: Have fun explaining how you didn’t do it, even though the messages were safely encrypted on your computer. So if hundreds of people complain about you sending them spam messages via Keybase, it might be somebody exploiting the Keybase extension on your computer via an XSS vulnerability in Reddit. Why would Facebook want to do something like that? Not necessary them, rather anybody who discovered a Cross-Site Scripting ( XSS) vulnerability in one of the websites that Keybase integrates with. It could just as well instrument the Keybase user interface in order to send messages in your name, while also making this user interface invisible so that you don’t notice anything. But in my opinion, that’s not even the worst issue.Ī website could do more than passively spying on you. This is quite contrary to the promise Keybase still makes on their Mozilla Add-ons and Chrome Web Store installation pages.ĭon’t believe that Facebook would intentionally spy on you? Maybe not, but by now it is pretty common to protocol all of user’s actions, for “site optimization” purposes - this includes anything entered into text fields of course. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption. So the first consequence is: the Keybase message you enter on Facebook is by no means private. The extension injects its user interface (the button and the chat window) into third-party websites, yet it fails to isolate it from these websites. ![]() The issue here is a very common one, merely a week ago I listed it as #6 in this article. Only after that initial message is sent the conversation will be transferred to the Keybase app. This button allows you to connect to people easily.Ĭlicking the button will open a chat window and allow you to enter a message directly in the browser. It will add a “Keybase Chat” button to people’s profiles on Facebook, Twitter, GitHub, Reddit or Hacker News. And for desktop you get a bonus: you can install the Keybase browser extension. This app is available for both desktop and mobile platforms. So the app allows you to exchange messages or files with other people, with the encryption happening on sender’s computer in such a way that decryption is only possible by the designated recipient. Or a Team Dropbox where the server can’t leak your files or be hacked. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. The self-description of Keybase emphasizes its secure end-to-end encryption (emphasis in original): But why should we care?” Turns out, this is a common response, see update at the bottom. It didn’t take long for me to realize that their browser extension is deeply flawed, so I reported the issue to them via their bug bounty program. Keybase does crypto, is open source and offers security bug bounties for relevant findings - just the perfect investigation subject for me. Two days ago I decided to take a look at Keybase.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |