articles/Pretty Bad Privacy: Keybase update - blog - My website can't be that messy, right?

commit: a36920198708140df87ba9f89bb9285a7c1c1ef5
parent c19cbf670e1bd615fe5977f1acd445b6898e6364
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Wed, 17 Apr 2019 09:06:17 +0200

articles/Pretty Bad Privacy: Keybase update

Diffstat:
M articles/Pretty Bad Privacy.xhtml 8 +++++++-
M feed.atom 2 +-

2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/articles/Pretty Bad Privacy.xhtml b/articles/Pretty Bad Privacy.xhtml
@@ -134,7 +134,13 @@ Compression: Uncompressed, ZIP, ZLIB, BZIP2
 <p>There is no forward secrecy</p><!-- FIXME: seems to be for online apps or similar, not email; to be verified -->
 <h2>OpenPGP in real life</h2>
 <p>Real Name policy and other stuff that should be optionnal in the Public Key Verification process (An ID card? Seriously?).</p>
-<p>Quite a lot of people are trusting <a href="https://keybase.io/">keybase.io</a> to kinda fix a part of the Web-of-Trust, I do not like this one, it seems to basically be a social-media keyserver where you give it a lot of information for “verification”, and of couse the software is proprietary and it’s centralised. I think putting your fingerprint everywhere you can and putting you minimal public key on your blog is a much better way, and it can be automatised a bit (OPENPGPKEY DNS record, IndieWeb <code>rel="openpgp"</code>, …).</p>
+<h2>Bonus: Keybase is a fuck</h2>
+<p>Keybase is what you get when you want crypto (just the math), but you do not care about security (they are called secrets for a reason) or privacy (social-media with a cryptographically verified graph that lives forever…).</p>
+<ul>
+	<li>You are encouraged to upload your private keys to them, with <a href="https://keybase.io/triplesec">their own algorithm</a>) and it is hard to revoke (Please revoke your key and create another): <a href="https://github.com/keybase/keybase-issues/issues/160">Uploading private keys puts users at risk, keybase/keybase-issues#160</a>, <a href="https://github.com/keybase/keybase-issues/issues/731">Can't revoke the proof from web, keybase/keybase-issues#731</a> (note: even after revocation it could still be verified, revocation being advisory), <a href="https://github.com/keybase/keybase-issues/issues/1946">GPG smartcard security bypassed by delegated private key, keybase/keybase-issues#1946</a>, <a href="https://github.com/keybase/keybase-issues/issues/1912">How to export private key from keybase with API or kbpgp.js?, keybase/keybase-issues#1912</a></li>
+	<li>It is centralised (and so proprietary) and harms decentralisation. For example: pleroma basically can’t have keybase integration because the instances are too small, lol, mastodon instances are way too big.</li>
+</ul>
+<p>As an alternative (and if you still want OpenPGP), I think putting your fingerprint everywhere you can and putting you minimal public key on your blog is a much better way, and it can be automatised a bit (OPENPGPKEY DNS record, IndieWeb <code>rel="openpgp"</code>, …).</p>
 <h2>See also</h2>
 <ul>
 	<li><a href="https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html">Pretty Bad {Protocol,People}</a></li>
diff --git a/feed.atom b/feed.atom
@@ -36,7 +36,7 @@
 		<link rel="alternate" type="text/html" href="/articles/Pretty%20Bad%20Privacy"/>
 		<id>https://hacktivis.me/articles/Pretty%20Bad%20Privacy</id>
 		<published>2019-03-07T01:00:04Z</published>
-		<updated>2019-03-07T07:32:00Z</updated>
+		<updated>2019-04-17T07:06:17Z</updated>
 		<content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <!--#include file="/articles/Pretty Bad Privacy.xhtml"-->
 		</div></content>