New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is no way for anonymous users of Keybase to send (encrypted) chat or emails to registered users of Keybase #2886
Comments
Seems like we'd have to have a lot of spam and abuse protection options before this could be turned on. |
That's the main issue I saw as well. Exposing programmatic email functionality definitely seems like a bad idea. Given that the email address associated with the recipient's public key is already public knowledge posted by Keybase, how would you feel about adding a mailto: link to the PGP encrypt Web UI? That doesn't make Keybase any more culpable for email spam (as long as you obfuscate the link), and it increases usability by removing a few clicks. As for Keybase chat messages, why not allow users to opt-in to receiving anonymous chats? This helps solve the spam problem (hard to spam all Keybase users) while expanding usability for those who want a way to chat quick notes at themselves and others from machines they don't trust with their Keybase password. You could optionally add in a "trusted anonymous user" password for this as well, allowing Keybase users to give out a passphrase that allows the anonymous user (maybe themselves) to leave them chats. Basically a "paper key" that grants only the permissions to leave chats for a single user who has opted-in to receive chats from anyone holding that key. Whether you decide to do any of these or not, thanks for reading through my feedback and for such a prompt response. |
Ping. I provided some suggestions above to implement something similar without the same potential for spam. |
Ping |
Yes, these ideas sound interesting. But we're still early in our spam/abuse protection work, and this anonymous feature would depend on having that in place first, so it won't be happening soon, I'm afraid. |
This is a little similar to what I was thinking of to support sending messages to teams/subteams via a simple API call (think Slack webhook notifications). See Keybase client issue 8842 |
(One long year passes.) Please provide a mechanism for anonymous users to send messages and files without identifying themselves. This can be done without much spam by requiring proof of work cryptocurrency style. It can be done in a user's web browser, or within his Keybase client, so the user won't need to do anything other than wait a few minutes for the proof of work to be generated. Perhaps the amount of work can be made proportional to the amount of data being sent. Suppose a whilstleblower A wishes to provide information to a journalist B. B can have a public secure drop managed by Keybase. B can specify how much data he is willing to receive, and how much proof of work will be required. Once an initial message has been sent, the recipient can open up the channel so the sender doesn't need (much) proof of work any more, and larger amounts of data can be sent. It will also be useful to allow A to remain anonymous and still receive replies from B. Also, it appears to me that in order to mintain trust in B's identity over time, A must follow B, and that following will be publicly visible. Not good for whilstleblowers. Maybe it should be possible to privately follow somebody. |
Tutanota has announced a feature that implements this. https://tutanota.com/blog/posts/tutanota-launches-secure-connect-encrypted-contact-form/ But they recommend that whistleblowers use Tor to initiate contact, otherwise the website hosting the encrypted contact form may be logging their IP address. The encryption is said to be end-to-end, but is presumably implemented by JavaScript downloaded from the web server host and hence not immune to the server being hacked. |
I'm not sure if this is exposed in any GUI, however. |
This would be a very useful tool for receiving sensitive information (eg. credit card details) from clients who aren't technical enough to understand GPG and don't want to have to install or sign up for anything. Spam could be avoided by allowing the receiver to generate a sender-specific link which can be decommissioned once the communication is done. |
Another use case: headless server provisionning, when you want to securely store secrets accessible only to a few restricted users. I would like to be able to call I just need to be able to retrieve users/teams public keys and use them to encrypt files |
There's already an excellent UI for taking some arbitrary plaintext and encrypting it for the owner of a given public key via the web, but there's no way to send that as a message to an existing Keybase user unless a) you have some external email service and you're willing to do the copy+paste+email dance or b) you have a Keybase account and you're using Chat.
Why not add a Web UI for sending a chat message without requiring login?
FYI, I perused the API docs to see if I could accomplish this myself with the provided APIs, but I didn't see this anywhere. I'd be happy with an API that does this even without a web UI.
The text was updated successfully, but these errors were encountered: