Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

馃啎 Software Suggestion | Keybase #740

Closed
pdjpdjpdj opened this issue Jan 26, 2019 · 15 comments 路 Fixed by #1087

Comments

@pdjpdjpdj
Copy link
Contributor

commented Jan 26, 2019

Basic Information

Name: Keybase
Category: e2eE chat, e2eE storage with kbfs, e2eE private git repo, cryptographic account linkability and proof of identity
URL: https://keybase.io/

Description

Imho Keybase should be added. It's early days for a lot of it's features but still already nice filestorage with better guarantees than the competitors. E2E chat and

@pdjpdjpdj

This comment has been minimized.

Copy link
Contributor Author

commented Jan 26, 2019

So Adding keybase to?

  • Encrypted Cloud Storage Services
  • Secure hosting provider (e2eE git repository hosting)
@beerisgood

This comment has been minimized.

Copy link

commented Jan 26, 2019

Site doesn't have CSP policy, track referer, use Amazon AWS server (from USA)
Not realy recommend for important/ private data.

See https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fkeybase.io

@infosec-handbook

This comment has been minimized.

Copy link
Contributor

commented Jan 26, 2019

@beerisgood

Site doesn't have CSP policy, track referer

You don't have to go to the website to use Keybase.

use Amazon AWS server (from USA)

DuckDuckGo uses AWS, Signal uses AWS, GitHub uses AWS 鈥 all recommended by privacytools.io 鈥 So there are more recommendations on privacytools.io that don't match your criteria.

@beerisgood

This comment has been minimized.

Copy link

commented Jan 26, 2019

@infosec-handbook maybe nobody see this problem with Amazon yet?
But it's there and should be noticed

@ghost

This comment has been minimized.

Copy link

commented Feb 3, 2019

This criticism of keybase is 1 year old, so I'm not sure how much of it still applies:

Keybase, we have a problem.

The Keybase software and service are both littered with severe bugs that create a security and legal nightmare. Here are some of the issues:

  • Deception: Their software is a server masquerading as a client app. They simply call it an "app" on this page: https://keybase.io/docs/the_app/install_linux but it's actually a surreptitious server that runs continuously in the background as a daemon.

  • Deception: Tor mode serves only to mislead users. The tool actually surreptitiously phones home to the central server of Keybase, Inc. without using Tor at all. This is not the usual DNS leak that Tor users are accustomed to, the connection itself takes place outside of the #Tor network. It's not incidental. This is in their privacy policy: "When you access or use the Service,we automatically collect and store information about your browsing habits and your use of the Service (鈥淯sage Information鈥),including: a. Your computer鈥檚 IP address.. f. Session times and lengths"

  • Malice: Keybase is designed to reverse users' edits to the run_keybase script. So users who try to patch the leaks by introducing torsocks wrappers in that script will learn who really owns that tool on the next upgrade or downgrade, when the script is overwritten. The overwriting is also silent, so some users will be unaware when their traffic becomes exposed. This also means adding firejail sandboxing to that script will also be reversed. It's no accident, they enforce it in the ToS that you agree to: "We may automatically check your version of the Software. We may also automatically download to your computer or device new versions of the Software."

  • SoftwareFreedom: The javascript on www.keybase.io is non-free software (it fails the #LibreJS test).

  • Malice: There are so many security bugs that keybase developer Jack O'Connor ("oconnor663") is outright deleting some of the more embarrassing security-critical bug reports. This censorship is the most malicious variety because it blocks other users from becoming aware of pitfalls in software that they have trusted. (Hence this article, which is out of reach for Jack O'Connor to censor)

  • Malice: The login webform is coded as a pop-up to force users to disable their ad blockers.

  • Malice: Users who are wise enough to distrust the keybase server have no way to receive messages that are collected through the Keybase Chat mechanism.

  • Deception: People who send messages using Keybase Chat are not given feedback on non-delivery. So humans are actually composing messages that are silently black-holed! Nothing is more reckless and irresponsible than a messaging service that fails to deliver without telling the sender. What's even more perverse is that non-delivery is not a rare event-- it's simply a matter of the recipient not running their junk software. So it's designed to cause widespread harm, the scale of which that could provoke a class action. So they've actually written a clause in their ToS to attempt to block class actions: 'Any Claim must be brought in the respective party鈥檚 individual capacity, and not as a plaintiff or class member in any purported class, collective,representative, multiple plaintiff, or similar proceeding (鈥淐lass Action鈥).' They also have: INDEMNIFICATION, LIMITATION OF LIABILITY, ARBITRATION, and NO WARRANTY clauses to block all actionability of their malice.

  • Bug: Further exacerbating the previous two issues is the fact that the "Keybase Chat" button cannot be disabled. Users not running the dodgy software are still forced to have this blackhole-feeding mechanism on their profiles.

  • Hypocrisy: Keybase sends all notifications in-the-clear as plaintext despite having the recipients pubkey and having built their own software to use it. Keybase, Inc does not eat their own dog food.

  • Bug: If you disable the (insecure) notifications and you are not running their (insecure) software, then you have no way of knowing that someone has tried to send a message. So human-written messages are not only black-holed, but both sender and recipient are unaware of the non-delivery.

  • Bug: The Keybase installer creates the directory "/keybase" with all world privileges (and yes, they root it in "/"). The keybase developers have said they believe that mounting a filesystem to that directory blocks access to it (so they are unaware of bind mounts).

  • Malice: advertising is opt-out, not opt-in. From their ToS: "we may send you communications..promotional information and materials..We give you the opportunity to opt-out of receiving promotional electronic mail from us by following the opt-out instructions provided in the message." They are encouraging users to use an unsubscribe link in a spam message. Informed users know is a bad idea, as it signals that an e-mail address is actively in use.

  • Bug: Keybase does not sign their e-mail messages, thus exposing their users to phishing attacks. Keybase, Inc again demonstrates they don't eat their own dog food.

  • Deception: They say files are end-to-end encrypted, but this legal loophole gives them immunity for any shenanigans in that regard: "We collect and store files and information that you transmit to other parties using the Service or that you elect to store on the Service."

  • Deception: This appears on the Keybase website: "The Keybase website is ok, but the Keybase app is faster, safer, and more powerful than doing it in a browser." When they say the "website is ok", it's a gross oversight to imply that you can rely on the website alone when doing so entails forfeiting access to inbound messages (for which the collection cannot be disabled). And when they say the "app is safer", it's a lie.

@Mikaela

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

cryptographic account linkability and proof of identity

This is what most of people I know using it use it for, but I have recently became aware of Indieweb and it's rel=me that do account linkability (at least with Mastodon it works both ways) and proof of identity, even if not cryptographically. I don't know how it could be proposed instead on Privacytools.io.

@pdjpdjpdj

This comment has been minimized.

Copy link
Contributor Author

commented Feb 9, 2019

@beerisgood and @libBletchley Thanks for the feedback I'll look into this because I wasn't aware honestly.

@ghost

This comment has been minimized.

Copy link

commented Mar 9, 2019

@infosec-handbook

DuckDuckGo uses AWS, Signal uses AWS, GitHub uses AWS 鈥 all recommended by privacytools.io 鈥 So there are more recommendations on privacytools.io that don't match your criteria.

Those are all problematic services that should be removed from privacytools.io or heavily cautioned - not just for using AWS.

Also, Amazon is a privacy abuser:

  • Amazon and Microsoft paid $200k each to fight privacy in CA.
  • Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests [republican policy is bad for privacy]).
  • Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
  • Amazon drug tests its employees, thus intruding on their privacy outside the workplace.
  • Amazon supported CISA.
  • Amazon is making an astronomical investment in facial recognition.

Apart from AWS being untrustworthy, it's detrimental to privacy to promote anything that feeds Amazon financially.

@infosec-handbook

This comment has been minimized.

Copy link
Contributor

commented Mar 10, 2019

@libBletchley

I just looked at your "significant list of privacy problems" in Signal. I can't agree since one can install Signal using the official apk provided at https://signal.org/android/apk/. Furthermore, you don't need Google on your phone. The rest are mostly technical issues with Debian (if true).

Moreover, I don't get why you use GitHub (hosted by AWS) for more than 3 years if your privacy gets abused by doing so?

@ghost

This comment has been minimized.

Copy link

commented Mar 10, 2019

@infosec-handbook

one can install Signal using the official apk provided at https://signal.org/android/apk/

There are half a dozen problems with that. I've just introduced #779. Scroll down to item "3" on that page.

Furthermore, you don't need Google on your phone.

I think you mean to say users don't need Google's Playstore app on their phone. While that's true, the third-party apps do not obviate any of the privacy abuses I've enumerated. In particular, users still need a Google account to access the apps and that's what mushrooms into many abuses both with obtaining the account and also with using it. And again, the small minority of users who manage to circumvent the Playstore app are not the target audience of privacytools.io.

The rest are mostly technical issues with Debian (if true).

You missed the CloudFlare discussion. Signal subjects users looking for support information to CloudFlare.

Centralization on AWS is also a problem.

Moreover, I don't get why you use GitHub (hosted by AWS) for more than 3 years if your privacy gets abused by doing so?

I registered on Github before MS was the owner and only just learned yesterday from your Jan. 26 post that AWS was involved.

Privacytools.io needs to move away from Github and until they do it's indeed a conflict of interest. Prism-break project made the good decision to leave github.com only to then make the poor decision to use gitlab.com. There are better options than both of them but this isn't the thread for that chat.

The first step needed is to get privacytoolsio off github and get it endorsing something consistent with its values. The next step to pimp privacytoolsio updated endorsement to other projects.

@Mikaela

This comment has been minimized.

@JonahAragon

This comment has been minimized.

Copy link
Member

commented Mar 29, 2019

Privacytools.io needs to move away from Github and until they do it's indeed a conflict of interest. Prism-break project made the good decision to leave github.com only to then make the poor decision to use gitlab.com. There are better options than both of them but this isn't the thread for that chat.

The first step needed is to get privacytoolsio off github and get it endorsing something consistent with its values. The next step to pimp privacytoolsio updated endorsement to other projects.

@libBletchley what platform do you suggest privacytoolsio move to, out of curiosity?

@ghost

This comment has been minimized.

Copy link

commented Apr 9, 2019

Keybase.io privacy issue: the MX servers for @keybase.io addresses is gmail.com.

@JonahAragon

what platform do you suggest privacytoolsio move to, out of curiosity?

I suggest Notabug.org. Just opened #843 for this discussion.

@Mikaela

This comment has been minimized.

Copy link
Member

commented May 30, 2019

Keybase has found its way to my i3 config and is one of the three chat apps I support enough to autostart (after deleting Facebook聽Messenger and Facebook聽WhatsApp, I like how it stays in the tray and there are nice people in their teams, so I guess I should raise this thread and try to comment (even if it's a bit weird with the other party being a 馃懟, but I hope others may have insight).

Deception: Their software is a server masquerading as a client app. They simply call it an "app" on this page: https://keybase.io/docs/the_app/install_linux but it's actually a surreptitious server that runs continuously in the background as a daemon.

Doesn't this mean that the actual Keybase.io server needs to be trusted less?

Deception: Tor mode serves only to mislead users. The tool actually surreptitiously phones home to the central server of Keybase, Inc. without using Tor at all. This is not the usual DNS leak that Tor users are accustomed to, the connection itself takes place outside of the #Tor network. It's not incidental. This is in their privacy policy: "When you access or use the Service,we automatically collect and store information about your browsing habits and your use of the Service (鈥淯sage Information鈥),including: a. Your computer鈥檚 IP address.. f. Session times and lengths"

I haven't read their privacy policy recently, but I think this is implied in their Tor mode documentation which says that it's not supported by Keybase GUI and to enable Tor mode you set it either as leaky or strict (which is currently said to be broken). https://keybase.io/docs/command_line/tor

Malice: There are so many security bugs that keybase developer Jack O'Connor ("oconnor663") is outright deleting some of the more embarrassing security-critical bug reports. This censorship is the most malicious variety because it blocks other users from becoming aware of pitfalls in software that they have trusted. (Hence this article, which is out of reach for Jack O'Connor to censor)

What are these some of the more embarrassing security-critical bug reports?

Bug: The Keybase installer creates the directory "/keybase" with all world privileges (and yes, they root it in "/"). The keybase developers have said they believe that mounting a filesystem to that directory blocks access to it (so they are unaware of bind mounts).

IPFS is also doing this, however with it this is opt-in.

Malice: advertising is opt-out, not opt-in. From their ToS: "we may send you communications..promotional information and materials..We give you the opportunity to opt-out of receiving promotional electronic mail from us by following the opt-out instructions provided in the message." They are encouraging users to use an unsubscribe link in a spam message. Informed users know is a bad idea, as it signals that an e-mail address is actively in use.

I should check this as this is not legal under GDPR.

Deception: This appears on the Keybase website: "The Keybase website is ok, but the Keybase app is faster, safer, and more powerful than doing it in a browser." When they say the "website is ok", it's a gross oversight to imply that you can rely on the website alone when doing so entails forfeiting access to inbound messages (for which the collection cannot be disabled). And when they say the "app is safer", it's a lie.

I should check this too, I would also say that in practice you need the app to do anything, especially if you wish to use their version of 2FA, https://keybase.io/docs/lockdown/index

@Mikaela

This comment has been minimized.

Copy link
Member

commented Jul 20, 2019

I should add that I have since learned that the Keybase server isn't open source (only the client is), while I was previously in impression it was open. keybase/client#6374

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can鈥檛 perform that action at this time.