Keybase does not seem to address the same security model as PGP / SSH, and this can be misleading to users.
PGP and SSH both have strong-passphrase recommendations, so that even if a user gains access (remote or local) to your machine (and therefore likely your id_rsa, gpg keys), you are protected from them accessing your encrypted files or server connections while posing as you.
Keybase is harmful to protections against that threat model by:
Providing password-less access to keychains (a remote or local user needs only to run_keybase)
Providing identity chain destruction with zero identity confirmation ( #3135 )
The first one is particularly damaging, because one can git clone any repository after running run_keybasewithout any password or identity confirmation. The data is then presented unencrypted to the user. The fact that this is stored in plaintext on the hard drive could be written off as "Encrypted git protects against server intrusion only".
But for device-level intrusion, what mechanism exists to revoke device access to an encrypted github repository or prevent malicious modifications to server-stored data? Effectively none, beyond " Keep your device secure "?
A user can require password access at any time with keybase logout.
Any lost or compromised device can be revoked at any time from the GUI or CLI of another valid device, and the first device will lose access to encrypted git repos.
ssh is encryption of transport to server which stores data in plaintext
keybase is encryption of git objects before transport to server which only ever sees ciphertext.
Keybase does not seem to address the same security model as PGP / SSH, and this can be misleading to users.
PGP and SSH both have strong-passphrase recommendations, so that even if a user gains access (remote or local) to your machine (and therefore likely your id_rsa, gpg keys), you are protected from them accessing your encrypted files or server connections while posing as you.
Keybase is harmful to protections against that threat model by:
run_keybase
)The first one is particularly damaging, because one can
git clone
any repository after runningrun_keybase
without any password or identity confirmation. The data is then presented unencrypted to the user. The fact that this is stored in plaintext on the hard drive could be written off as "Encrypted git protects against server intrusion only".But for device-level intrusion, what mechanism exists to revoke device access to an encrypted github repository or prevent malicious modifications to server-stored data? Effectively none, beyond " Keep your device secure "?