SoylentNews is people
SoylentNews
from the couldn't-care-less-or-could-they? dept.
Software developer Wladimir Palant has written a blog post explaining a fatal shortcoming in Keybase's browser extension. Keybase claims to offer end-to-end encryption for chat and file sharing despite being inside a browser. The browser extension is apparently flawed in that when it inserts itself into third-party web sites, it fails to remain isolated from the third party sites and thus potentially exposes all secret information or even allows the forging of messages and files under the compromised identity. The response from Keybase to Wladimir has been underwhelming.
Two days ago I decided to take a look at Keybase. Keybase does crypto, is open source and offers security bug bounties for relevant findings — just the perfect investigation subject for me. It didn't take long for me to realize that their browser extension is deeply flawed, so I reported the issue to them via their bug bounty program. The response was rather... remarkable. It can be summed up as: "Yes, we know. But why should we care?"
His recommendation is to uninstall the Keybase browser extension as soon as possible. The status of the phone application is unclear, as he has not looked into it.
(Score: 3, Informative) by Knowledge Troll on Saturday September 08 2018, @05:51PM
I've always disliked Keybase and thought they had their head up their ass ever since they tried to explain that relaxing PGP web of trust with their system makes things more secure. No it does not - it really fucks up the WoT in fact, thanks Keybase.
At least this is so epic stupid that most people will recognize they have their head up their ass. I can't fathom how so many professionals I know thought they knew what they were doing even though they know damn well about the PGP WoT issues.