|
|
|
|
|
|
by lucb1e
2390 days ago
|
|
|
Edit: this comment can be ignored since it doesn't seem to verify third party proofs in the first place. As far as I can tell, it just queries the Keybase servers and calls it a day, so the trust anchor is still only Keybase unless I overlooked something. More details in my other comment: https://news.ycombinator.com/item?id=21748454 --- > It should be trivially verifiable by yourself Yeah sure, once you realize that third parties are required for security. This shifts the root of trust from just Keybase to Keybase + a third party. That's not quite what I would call end to end encryption, at least not if there is no fallback to checking the keys manually. That's just not what the word means to me, even if the risk is sufficiently low that I guess it can be considered equivalent. So I'm not saying it's a bad thing. If indeed all chat apps had such a scheme where third parties vet the keys, i.e. if it were commonplace to have to compromise two or more companies' servers before you can MITM someone successfully, it would be a huge improvement over the current state. Keybase is definitely being innovative here. It's just not how it's marketed (namely as being a secure chat in and of itself), and I hadn't realized that this might be what they mean when they write "end to end encrypted [but only if you sign up with a trusted third party!]". |
|
|