Hacker News new | ask | show | jobs
by gexcolo 3245 days ago
What bugs me about the direction Keybase is going is that they still have not implemented a way of disabling the ability for users to send me encrypted messages.

I do not want Keybase to hoard encrypted messages I will never be able to read because I do not want to install their application on my computer. My Github issue for this has gone largely ignored:

https://github.com/keybase/keybase-issues/issues/2808

I am thinking I am long overdue to placeholder my account until this is solved. I already have 10 encrypted messages I will never be able to read. I joined Keybase as a public key repository with external verification support, not for them to store private conversations -- encrypted or not.
2 comments
cyphar 3245 days ago
> I joined Keybase as a public key repository with external verification support, not for them to store private conversations -- encrypted or not.

While I agree with your comments on feature-creep, in order for you to worry about someone having a copy of your encrypted communications you must assume that the encryption scheme is completely broken. This raises the question: why are you using PGP at all if you think the cryptography is broken?

link
tommi 3245 days ago
Keybase has created an inbox in your name which in turn creates a social contract on your behalf to check it. Existing users signed up for something different, so no wonder some of them want to disable that feature.
link
cyphar 3245 days ago
Again, I agree with the feature-creep point. What I was asking about is why is the connotation about private messages seem to imply that they don't think encryption is sufficient for a third party to hold a copy of a message they will never read.
link
honestlyreally 3244 days ago
Is this not the concept of forward secrecy? Crypto can be safe today and broken tomorrow.
link
cyphar 3244 days ago
Not really. PFS is about protecting a long-term key from being broken and then historical communications being uncovered. If you receive a one-off message then it's not materially different to being PFS with just a single message.
link
gexcolo 3245 days ago
I use PGP every day. Who messages me, how often, and at what times, is still private information and I should have a say in where and how that happens. My PGP-encrypted conversations tend to be much more sensitive than any other medium I use.

The cryptography is almost certainly not broken. That does not mean it won't be broken in the future. I would have the same concern if my TLS-encrypted traffic was being saved. If my ISP was saving TLS traffic or my XMPP provider (the one that I don't host, anyway) was saving OTR conversations, I would be equally concerned.

Even worse, actually. TLS (usually, nowadays) and OTR both employ forward secrecy. PGP does not, at least traditionally.

link
beaner 3245 days ago
People could just post these encrypted messages on pastebin, Dropbox, whatever. It's someone else's choice to send you the message and paste it somewhere. You can choose to ignore it, but it's not really your right to tell someone else not to do it.
link