PSA: Stop Using Keybase Right Now

David Layton

David / 10 June 2020

Why the service for "keeping everyone's chats and files safe" can no longer be trusted

Morally, I can't publish the article I'd written. Last month I started writing a new series on Terraform. This week, I intended to publish part 3 on increased security. The issue: I was using the third-party service, Keybase. It's featured in Terraform's own documentation--several times. And although it would be easy to publish the piece as is--I mean who could blame me for following the documentation, it wouldn't be right.

In fact, I'd already made the final code available for those signed up to my newsletter. An apology will follow a full re-write. I'm delaying the series until then.

You see Keybase has just been purchased by an unsavory outfit. This darling of security can no longer be trusted.

How the Security Conscious Use Keybase

Keybase is a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner. Additionally, it offers an end-to-end encrypted chat and cloud storage system, called Keybase Chat and the Keybase Filesystem respectively.

Wikipedia

Many use Keybase to chat in a secure way. Instead, I use Whatsapp. For cloud storage, I mostly use Google and AWS. Primarily, I use Keybase as a directory to store access keys for other services--and for this, I loved it.

Perhaps the big, killer feature is being able to prove the connection between one online identity and another. For example, you could prove to a third party that your Medium user and your Reddit user were in-fact the same people.

Who Purchased Keybase?

In early May, Zoom purchased Keybase. Zoom, as you are probably aware, makes video conferencing software. Since the lockdown, Zoom has become a household name.

Companies adopted Zoom because it works on the broadest range of platforms. As a Linux user, I can tell you it is hard to find something that will work on Windows, Mac, and Linux. It's so embarrassing when a customer, partner, or candidate can't connect to the video call. Additionally, Zoom was able to cope with the sudden increase in demand than many of it's other competitors--though some of how they did this is a scandal we'll discuss.

Why Zoom purchased Keybase

According to Keybase, they'll be making "Zoom even more secure" with "no specific plans for the Keybase app". So it doesn't sound like Zoom will be integrating Keybase into existing products.

Perhaps, Zoom sees that Keybase is long overdue to start charging corporate customers. They'll pay for better support and SLAs. Keybase's founders have long said this was the eventual path to monetization--but never started. This would fit well into Zoom's own current position and business model.

But Zoom says the acquisition is part of a "90-day plan to further strengthen the security of our video communications platform" and references "Keybase’s team of exceptional engineers". And I think that's the tell.

By acquiring Keybase, they acquire security engineers.

What's the Problem with Zoom?

Where to start? Ah, the US senate.

Despite six senators investing the telecommuting tech sector immediately following a closed briefing on the impending coronavirus outbreak, the US Senate has urged its own members not to use Zoom. Senators aren't the most tech-savvy bunch, and well behind the curve on this. For months, we've heard scandal after scandal regarding Zoom's privacy and security practices.

Hidden Servers

In early March 2019, Security Researcher, Jonathan Leitschuh, demonstrated that Zoom was running an undocumented web server hidden on Mac users' devices that would allow a malicious website to join calls and enable the user's camera. Leitschuh offered a quick fix but was brushed off by Zoom. He gave Zoom a 90-day reprieve. After months, Zoom disclosed the vulnerability publically in July--three days before Leitschuh would have taken the vulnerability public himself. Apple quickly released a patch closing the vulnerability. For 87 additional days, Zoom's recalcitrance left Mac users exposed.

Due to this incident, many branded Zoom "malware".

https://twitter.com/random_walker/status/1244989489275158529

Ommissions and Outright Lies

In March 2020, Vice's Motherboard exposed Zoom again. This time for sending users' personal information to Facebook--even if the user had no Facebook account. We've come to expect shady third-party data practices hidden in EULAs. However, Zoom neglected to mention Facebook in its privacy policy. Google is. Many, myself included, take specific issue with Facebook following the Cambridge Analytical scandal.

At the same time, The Intercept reported that despite claiming "end-to-end" encryption in its marketing, Zoom has unencrypted access to your video and audio. This means that government compulsion or an internal security breach could expose your "private" conversations--a goldmine for hackers.

Given their track record on security, such a breach seems inevitable--if it hasn't happened already. No holding our breath for public disclosure. As for government compulsion, we'll have more on that in the next section.

To be fair, end-to-end encryption of video is technically difficult, but some services such as Apple's Facetime do provide it. But why would Zoom put in the time and effort to compete when they could just lie? These concerns lead to some outcry.

From the same Article:

On March 18, human rights group Access Now published an open letter calling on Zoom to release a transparency report to help users understand what the company is doing to protect their data.

--ZOOM MEETINGS AREN’T END-TO-END ENCRYPTED, DESPITE MISLEADING MARKETING, The intercept, 31 March 2020

Routing Data Through Authoritarian Regimes

The Citizen Lab at the University of Toronto exposed Zoom in April. User traffic was passing through servers in Beijing. Zoom's response? They “mistakenly” added two Chinese data centers "potentially enabling non-Chinese clients to connect". "Potentially" was the word Zoom used in its press release directly addressing getting caught doing just that!

Again the same pattern: admitting fault only after being exposed, excusing it as incompetence, and playing down the impact.

This mistake further clouded Zoom's unclear relationship with China. Despite servicing mostly North American clients, they have a substantial development team in China (according to filings). Regardless, the use of Chinese servers could place users' encryption keys in Beijing's hands.

Some stretch to imagine that the acquisition of Keybase as a spy game. Beijing assets gaining back entry to the services Keybase is meant to protect. Though fanciful, it's equally naive to think that "Keybase’s team of exceptional engineers" will be making "Zoom even more secure". No amount of increased technical competence will address a lack of integrity. The culture of Keybase will more likely be impacted by its new parent than the other way round.

Ruby on Rails creator and Founder/CTO of Basecamp, David Heinemeier Hansson, put it best:

https://twitter.com/dhh/status/1244997990382596096

What Do We Do?

One solution, proposed by concerned Keybase users, would open-source the server. The client sourcecode has always been open; the server's code is not. This increased transparency would put the community at ease--but would Zoom allow it?

Let's suppose they did and put concerns of potential corruption from Zoom's malignant culture aside. And say we also take Zoom's explanation at face value. Draining "Keybase’s team of exceptional engineers" to secure Zoom will undoubtedly impact Keybase's existing services.

Progress, long-term, is unlikely. Now maybe the best time to jump ship and start exploring alternatives.

Bloom

It appears Bloom's creation was a reaction to Keybase's purchase.

A safe place for all your data

As an Open Source project anyone can inspect how Bloom works. We use state of the art cryptography to keep your data secure. There are no ads, no affiliate marketing, no creepy tracking.

Just open technology for a fast, simple, and secure experience.

Bloom.sh

Unfortunately, it's not out yet. Hopefully we'll see it's release later this year.

Dark Crystal

Dark Crystal covers some use cases. One interesting feature allows keys to be recovered by combining partial keys held by trusted friends.

Back up your secrets using the trust in your social fabric

Dark Crystal is a decentralised peer-to-peer app, meaning you exchange shards directly with your friends. No data is sent through a central server. It even works when you're not connected to the internet. With decentralised and encrypted tools, there's no company or authority who can reset your access. Security is all on you. Using Dark Crystal makes managing your keys and passwords a little bit more forgiving, while still being very secure.

https://darkcrystal.pw/

Handshake

A step towards a decentralized internet, Handshake could form the backbone for a Keybase replacement.

Handshake is a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems.

handshake.org

I doubt it'll covers my needs--but looks promising.

Wire

Wire is open source, provides end-to-end encryption, and complies with the European Union's stringent data protection legislation. This one looks like a real contender, but it's not free.

The most secure collaboration platform

Modern day collaboration meets the most advanced security and superior user experience.

https://wire.com/en/

It's a bit difficult to read through the sales jargon to figure out what features it really provides.

PGP Key Solutions

My sole need is PGP key access. For this, I've found two serviceable solutions. I just need to test how easy they are to use.

The first is Github. It appears you can attach a key to your user. You can then access it at https://github.com/<username>.gpg

Alternatively, I could use Web Key Directory. You can choose from several of the listed service providers. I'm going to give a few a try when I re-write my tutorial on securing Terraform. I'll keep you posted.

If your thinking of ditching Keybase for any of these alternatives, or others, I'd love to hear from you. Let's start the conversation here.