| I'm not a fan of Keybase because they encourage a lot of unsafe behaviour: 1. They tell you to trust webpages which claim that their code does not send passwords or private keys to the server – something which would be extremely hard to verify now and even were you to do so now, could silently change in the future: https://www.dropbox.com/s/teikzwftimeu8nc/Screenshot%202015-... https://www.dropbox.com/s/1xlvpd8drhix0tj/Screenshot%202015-... 2. They encourage blindly copying and pasting complex commands into a shell: https://www.dropbox.com/s/5rv7p4mks0qdr7f/Screenshot%202015-... I have no reason to believe they're doing any of this in malice but it's not good because it encourages people to believe claims which could be made by any phisher and encourages practices which put you at risk if Keybase is ever compromised. The answer to this, of course, would be a browser-managed crypto API which could provide unspoofable UI indicating that e.g. a private key will never leave the client but in the absence of such an API it feels irresponsible to make similar claims which aren't actually possible. |
