Every other HN profile lists a Keybase public key and a proof, but has anyone actually needed to prove their identity on HN? Does anyone use Keybase for encrypted communication?
I have used Keybase since it first showed up on HN for Comms and Git. Technically I have done the proofs for identity, but no one cares about that.
The Git usage was really nice. It's fast and secure. While I didn't use it for most projects (because I want them on github/gitlab for various reasons), it was very useful for backing up machine specific configs and history (using a script and mackup). Knowing that it was well encrypted made me not worry about what was being backed up, if there were credentials, etc.
As for comms, I used the 1:1 chat with a friend for quite a while. While it worked, it's slow. Sending messages is a little slow, sending images is VERY slow. Anytime the app is closed (like constantly on the phone), re-open times were slow (for decryption). Eventually I gave it up and moved those few chats over to Telegram (Because it's secure enough for most conversations).
Wire & Telegram are both cloud connected, while Apps on the Signal protocol depend on your phone to be functioning and in reach AFAIK (huge annoyance/problem for me).
That's not true about Signal. You may probably be facing some bug that should be reported to the Signal team.
Telegram is completely cloud based. So all your conversations, except secret chats that are end-to-end encrypted, are stored on Telegram servers in plain text for as long as your account is active. This is why you can get a new device, activate it for your account and get all your conversations back on it from the Telegram servers.
Wire and Signal work differently. They use their servers as a temporary storage to hold your messages until the recipient comes online and then deliver them. Wire also retains the messages for a few days to allow delivery to multiple devices that a user may be using, with each device possibly coming online at different times. Signal doesn't have to support this because it's tied only to a single device, which is your phone.
Not the GP, but Telegram > Wire > Signal on user experience, features, message delivery speed, etc. There's simply no comparison at all on these aspects.
I used it initially but then found out that bare gpg covers most of my needs.
For example:
- passwords using pass [0] decrypted with Yubikey, and with Password Store [1] on Android (the same repo, the same Yubikey),
- FDE with LUKS decrypted on boot with Yubikey [2],
- encrypted e-mails with Enigmail and K9/OpenKeychain on Android, works with the same Yubikey 4C token! Web Key Directory on own domain for easy e-mail -> key mapping,
- OpenKeychain also has "linked identities" (verifying social profiles) but at this point I consider it barely useful stamp collection,
- for E2E instant messages Conversations [3] with OMEMO.
I don’t, but I’ve rarely needed to send files etc to other hacker news users.
I would LOVE it if I could use keybase to send a copy of my passport to companies (for example) which is nessesary for day to day life, and always done in a redicously insecure way. :(
To be clear, I 100% support keybase, and if I thought there was a chance in hell of getting some other non-tech person to use it, I would put in the effort.
I just don’t see myself being able to convince some recruiter, or HR person or something to sign up and install keybase just to get a file from me
I've thought about this problem, specially in LATAM countries were gov agencies are still ages behind in terms of security/compliance and sharing these type of documents. There is definitely a need for this.
Keybase is shitty. They had the ambition to somehow build a new generation of keyservers, they built it using technology that could easily be a distributed protocol and then they made it a completely centralized and commercial bs crypto startup. So much waste since keyservers and distributed identity (and reputation, and naming system in general) is a field where everything is still to do. They could have overthrown DNS (machine names) and HTTPS (certified names; any CA-based ssl system) and google contact ("people" names). I'm very salty that they've diverted so much hype in that area for so few results.
I considered using it, tried registering but had some issues. Tried reaching out to them but it seems like there is absolutely no way to contact them (other than their twitter, which looks somewhat abandoned).
This made me pretty suspicious, but especially since https://keybase.io/support is just another user claiming to be Keybase support. That's a huge red flag in my book, more so for a security product.
I don't know, but for me this didn't really inspire much confidence.
I've had good luck communicating with them on the public team keybasefriends. They have various channels for different features, but asking on #general is usually a good way to get help, either from someone from Keybase or someone else who knows the answer to the question.
I've never needed the identity proofs. The teams/chat features are great but I rarely use those either. Maybe when adoption increases, but until then I'm loving my free 250 GB cloud drive and unlimited Git repos up to 100 GB.
Yes, mostly as a means of verifying identity across accounts.
I'd probably pay a few bucks a year (thinking 20) for the base identity service, if we're being frank. Even if the only separation between a free tier and a paid tier is e.g. more service integrations and an uptime SLA... sure, why not?
I use it. I've been impressed with all the improvements they've made over the years. I've struggled to get other people to use it though, but I have had some success and when I've talked other people into signing up it has worked well.
When I first heard about it, I signed up for it and set it up on all of my computers and devices.
I also evangelized it pretty heavily and managed to get about 10 other people to use it.
Unfortunately, I ran into some pretty major issues with the desktop clients. They seemed to be coded pretty poorly, eating up massive amounts of CPU and/or RAM, and sometimes even causing my computer to freeze.
In practice, there also didn't seem to be much point to encrypting conversations if there was no password required to actually see them (if someone got a hold of my computer). And (at the time) there was no way to delete a message.
Due to these issues, I ended up installing it.
I'm curious if things have gotten any better since then?
I've used it in several communities to prove identity and statements in cases where I both have either authority or a need to be trusted, since I choose to remain pseudonymous.
It's easier for people to grasp/verify than the alternative ("pure PGP"). They go to /verify, paste in my message, and make sure it confirms as me. Keybase being compromised is outside the scope of the threat model - the threat model is mostly "impostors pretending to be me trying to get you to download potentially harmful files". People have no reason to know who I am but they do have a need to verify I am who I say I am.
I use it, in the sense my public key is on there, and I follow a bunch of people on there, but since they invented their own crypto model, it's just a place to store public keys.
I use it the git aspects of it heavily for projects where I get lazy and should be using proper secret storage (for example Ansible playbooks with secrets not secure...). This is far from ideal, but makes personal development a great experience.
Secondly to that, we heavily considered and trialed it a work to unseal Hashicorp Vault. You can add a single identity that is able to unseal, and having that person verify in the keybase-esque method is a great idea.
We use it as a quick and dirty shared secret storage at work (when you need to pass someone an API key or stash some service credentials somewhere). It works, and keeps those things from sitting around in plaintext, but I've been trying to move everything that's stored there to something like Hashicorp Vault or GCP/AWS KMS so we have a proper audit trail and key rotation.
I've started using kbfs for personal notes and encrypted git for financial planning code.
We're also trying Keybase out as a family chat channel. I really like the CLI interface and the integration with kbfs, and of course the e2e encryption. We're probably going to stick with Slack for now, though, mainly because it runs on Chromebooks.
I’ve been using the encrypted git feature to backup dot files and other bits of system config. At work, my dev team uses the FS and chat features for sharing sending sensitive files we don’t want sitting around on email, google drive, etc. Overall I think it’s a pretty great product and I hope it stays around for a while.
When it was new I was excited about it and it pushed me over the edge to actually starting my usage of GPG and setting it up properly with smartcards etc.
Then I started to go to keysignings etc and started using the keyserver infrastructure etc.
And then it took a while and I realized that I never used keybase and removed my account.
Right now I use it for encrypted file storage and private git repositories that I don't want anyone looking at. I don't have 100% trust in the security of the platform, but I prefer it to Dropbox or Google Drive where the probability of someone snooping around my files seems higher.
At least the Keybase code is open, so even if you can't personally validate that it's secure, someone else can.
Neither Dropbox nor Google encrypts and keeps the keys client side, so not trusting them is probably the right thing to do (also Dropbox has been misleading in the past about their security, so that's another reason one should be careful).
Our team uses it to share sensitive docs (logs, user details, api keys etc.) and occasionally as a secure chat channel (i.e. if we want to communicate off work Slack).
I have a copy of some important docs (taxes, etc.) in my private KBFS.
I'm currently using it for git, principally for storing personal dotfiles (.ssh/config, etc.) that I need on a couple workstations. It looks neat, but it suffers from a mindshare problem as a social network.
Yes, I use its git feature for certain projects, and have used it for chat for a while. I have found if I come across a developer who has a profile its the easiest way to get in touch with them.
I would use it if they provide a way to "lock" local installation or to make it portable: I want to use it in my office PC, which can be accessed by lots of people...
The Keybase filesystem docs still contain the text:
"At the time of this document, there are very few people using this system. We're just getting started testing. Note that we could, hypothetically, lose your data at any time. Or push a bug that makes you throw away your private keys. Ugh, burn."
And considering that kbfs is one of the more mature parts of Keybase, it has never inspired confidence in me that any of it is really ready for serious use.
Few engineers at my start-up were using keybase to share credentials between them, as well as between company and/or personal laptops. A lot of information was exposed to the wild internet (machine names, developer names, connection between them,...) posing a clear security risk. My experience is that most engineers do not understand how to safely use keybase at that point.
You choose those names when you add the device. It can be anything.
That said, it would probably be good if they added a note saying that the device name you choose is public, which is not really clear in the current UI.
It's just a way of minimising your footprint. If you google me, and can't find what services I use, it makes it that much harder to try and find a foothold into hacking something, or building up a profile.
Then you wouldn't be using Keybase if that was part of your threat model - since a significant point of using it is to tie together and prove identities across some popular sites on the net.
This is why I use a different username on each site.
Some people use the same username on HN, github, reddit, gmail, etc. (and then they complain about internet privacy and being tracked.)
The Git usage was really nice. It's fast and secure. While I didn't use it for most projects (because I want them on github/gitlab for various reasons), it was very useful for backing up machine specific configs and history (using a script and mackup). Knowing that it was well encrypted made me not worry about what was being backed up, if there were credentials, etc.
As for comms, I used the 1:1 chat with a friend for quite a while. While it worked, it's slow. Sending messages is a little slow, sending images is VERY slow. Anytime the app is closed (like constantly on the phone), re-open times were slow (for decryption). Eventually I gave it up and moved those few chats over to Telegram (Because it's secure enough for most conversations).