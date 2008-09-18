from the couldn't-care-less-or-could-they? dept.
Software developer Wladimir Palant has written a blog post explaining a fatal shortcoming in Keybase's browser extension. Keybase claims to offer end-to-end encryption for chat and file sharing despite being inside a browser. The browser extension is apparently flawed in that when it inserts itself into third-party web sites, it fails to remain isolated from the third party sites and thus potentially exposes all secret information or even allows the forging of messages and files under the compromised identity. The response from Keybase to Wladimir has been underwhelming.
Two days ago I decided to take a look at Keybase. Keybase does crypto, is open source and offers security bug bounties for relevant findings — just the perfect investigation subject for me. It didn't take long for me to realize that their browser extension is deeply flawed, so I reported the issue to them via their bug bounty program. The response was rather... remarkable. It can be summed up as: "Yes, we know. But why should we care?"
His recommendation is to uninstall the Keybase browser extension as soon as possible. The status of the phone application is unclear, as he has not looked into it.
(Score: 2) by Runaway1956 on Saturday September 08, @10:54AM
Browse the extensions repository. There are so many, I've never even attempted to count them. A lot of them come, a lot of them go, but some few just stay, and stay, and stay.
I don't much like the idea of giving away my data for free. So, I avoid all those cool but meaningless extensions. uBlock Origin and a few others have stood up to the test of time - those are the ones I stick with.
The community figures out pretty quickly when an author sells out. Adblock fell by the wayside quite awhile back. Now, another fake security extension falls.
Think before you believe the claims, and install some POS extension. Do a little research, at least.
