Day 2 of #100DaysToOffload
In the first post on my blog (from February 1, 2020), I praised Keybase and its amazing potential. A lot has changed in those months leading up to this post, including the massive rise in people working and studying from home. Zoom's userbase skyrocketed and so did global attention on the platform, including discoveries of security vulnerabilities. To fix this, Zoom did an acqui-hire of Keybase. I ought to follow-up.
Why was Keybase great again?
That first blog post explains it if you want to go more in-depth, or simply want to see what I have to say ;)
But the TL;DR is: 1. Ease-of-use encryption 2. Identity Proofs (also easy to use)
Keybase centralizes these into one platform (in addition to file storage and teams) giving it the potential to be an easy-to-use and secure suite. Yes, there were simple secure messengers (e.g., Signal and Wire), but having it in one platform with the other features made it more compelling. There are competitors for identity proofs such as keys.pub as well. keys.pub has potential, but it only supports GitHub, Twitter, and Reddit accounts, as well as websites. Therefore, they have not filled the gap yet.
What gap? Keybase is still around!
It sure still is! Potential problem is, it got acquired by Zoom. Past Zoom security flaws caused some concern to distrust Keybase, but really, it is the reverse. Zoom most definitely bought Keybase to secure their calls because of such flaws like when they were busted with misleading claims about end-to-end encryption. The worst-case, yet somewhat likely future I see is the Keybase team will put their effort into Zoom, and Keybase will slowly die with little development. Take this quote from the Keybase blog:
Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans for the Keybase app yet. Ultimately Keybase's future is in Zoom's hands, and we'll see where that takes us.
To be fair, they did not explicity say Keybase will never be worked on again. They even clarified later on there is (was?) a pending release. The vagueness worries me.
Concerns with Zoom are legitimate, too. First, they announced E2E would only be for paying customers. Only after (deserved) criticism from the internet did Zoom backtrack on the decision. Zoom initallity did not plan to give free users E2E as they wanted “work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.” This blog post is not just about Zoom-hate, but c'mon, what a silly argument. Privacy and security should be open to all! What do they possibly expect? That bad guys will not spend some money to reduce their chance of getting caught!?
Regardless, the acquisition reminded me not to put so much faith into a centralized platform. It could shut down, radically change, or, in this case, be bought by another company which could cause the first two.
Back to basics
So what platform can I use? PGP of course! With PGP, I can sign a message an other's can verify it is actually me. Yarmo Mackenbach recently made a great tool called OPSV to make it really easy for pretty much anyone to verify PGP-signed text. On my identities page, I have a signed message with my online accounts. It is similar to Keybase proofs, if not better. I do not need to rely on platforms Keybase proofs worked with. I can sign literally any text I want. The main downside is there is no third-party checkmark that Keybase had, you need to verify it. No third party doing the work (automatically, of course). While that could be considered an advantage, manual verification might be too complex or annoying to do for many. Realistcally, the vast majority who go to this website or see my identities will not go and verify it is truly me, and not an impostor. I do not even do this when going to someone's site. It is there to be proactive, if someone should pretend to be me, at that point can people go verify. I will keep my Keybase profile up because it allows those without any PGP experience (i.e., the majority) to see a nice checkmark the account is me. Furthermore, having that third-party verification does provide further authenticity, it is a double-edged sword. Keybase is not dead yet. Hopefully, it will never die, but I realized I cannot be so reliant on a single centralized platform.