search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
902 stars 37 forks source link

using keybase to verify authenticity of a tweet? #743

Open jedschneider opened 10 years ago

jedschneider commented 10 years ago

Hi, I've verified my twitter identity, but I don't understand how for existing tweets going forward my identity could be verified, eg, someone could hack my twitter account and publish on behalf of me. Is there a way to sign a tweet in such a way that I have a signature that verifies the status was posted by me, specifically?

This was difficult to search the issues for, so I apologize as I'm sure I am not the first person to ask this. A reference or link with a specific example would be super handy. Thanks!

zQueal commented 10 years ago

someone could hack my twitter account and publish on behalf of me.

That's entirely true. The purpose of the verification, however, is to convey that at the time of authentication you were in possession of your account. There really is no guarantee, especially online, that you're speaking to exactly who you intend. The purpose of PGP is to give yourself, and others "pretty good protection/privacy" against malicious third parties.

As an example, let's say you tweeted at me that you have an item that I want for sale and you accept credit cards. Normally, this would be a pretty sketchy transaction no matter what the circumstances and I vehemently advise against it, however, if at the very least you've verified your identity via twitter with your public identity, I could send you my credit card details encrypted using your public key which can then only be decrypted (depending on options that I chose at the time of encryption) by your private key. Therefore, even if someone has control over your twitter account and is expecting my credit card details in return, because they (probably) don't have control over your private key, my credit card information is relatively safe.

If that example makes any sense.

r000t commented 10 years ago

The way I understand why Keybase "links" websites and Github/Twitter accounts is actually to do the opposite, IE:

"I trust this guy on Twitter, and I want to send him something encrypted. Cool, here's his Keybase page. Okay, here's his PGP key, and a Tweet from him, signed with this PGP key, so I'm pretty sure this is his PGP key."

r000t commented 10 years ago

Now that I think about it, though, there may be a way to PGP sign a Tweet, similar to how Keybase Tweets a proof:

1) Compose a Tweet 2) This Tweet, and some public and easily-fetched information about it (Timestamp, your username, etc.), and put this into a predictable template for a "statement", similar to the proofs 3) This statement is signed, and the signature hashed. The first/last couple base64 characters are appended to the end of the Tweet. Possibly a minimum number, and more if there's room. 4) The Tweet is sent.

The only issues are:

1) You do lose some characters. 2) The signature has to be stored somewhere. I'm assuming Keybase stores the signatures for the proofs now, and that's not too much of a burden because there's probably going to be no more than 10 or so of those per account. But now, you're asking them to store signatures for every Tweet you send!

Another (probably more viable) method would be a weekly/monthly "I still own this account!" Tweet with a re-proof.