1. 38
  1. 4

    Why do you think the author decided to announce the results of their third-party audit under a headline that suggests the article is about something else?

    1. 2

      The very definition of ‘clickbait’.

      1. 7

        They changed the title of the post. From their post:

        UPDATE 3/27/19 4:30pm ET: a first version of this post specifically called out 2 other encrypted chat apps, one of which is the gold standard outside of Keybase. By removing the specific mentions, we think we can focus on the positivity of Keybase’s solution, and avoid what feels like trash-talking a great project we actually respect, in an effort to highlight our own solution.

    2. 5

      Cross comment from HN:

      Show us the server: https://github.com/keybase/client/issues/6374

      1. 7

        this is not really relevant to the security claims in the article IMO. It is important separately of course.

        1. 6

          I would love it if drive-by passive aggression like that comment from HN stayed on HN.

          1. 12

            That was painful to read. Such entitled attitudes.

            1. 2

              yep, and unfortunately some of them come from lobsters.

            2. 7

              This is important, IMHO. At this point keybase is yet another walled garden. Investing in them means that you are subjected 100% to their whims and future success (or lack thereof). It’s painful when your communication is shut down because a company decided to go do something else, or close up shop.

              1. 4

                It isn’t. If the claims are true, that things are encrypted on the devices, which they seem they are (and the source is open source) then it doesn’t matter what happens on the server from a security perspective.

                1. 1

                  Nope, it definitely is. You may be able to recover your data, but you’ll then be searching quite urgently for a service to replace it since the proprietary server stuff is unavailable.

              2. 2

                How about you spend 8 hours a day and make a great library that Keybase will really want to use in their backend, and make your library use GPLv3. Then they will have to open source.

                That’s not true. If the backend is not distributed to anyone then it would not need to be open source.

                1. 1

                  Is this also true of the AGPL?

                2. 0

                  I don’t have a clear understanding of how keybase server works. Can someone provide details.

                  1. 2

                    https://keybase.io/docs/server_security has details about what the server is responsible for, and what clients trust and verify from them.

                3. 2

                  Now I’m curious to see the original post.

                  1. 1

                    I think that this looks quite nice. I am annoyed by chat options that are not truly multi-device. I do like that the client is open-source.

                    Why can’t old chats be synced to new devices, though? You could sync them via other devices, couldn’t you?

                    1. 1

                      Non-ephemeral chats are synced to new devices as described in the FAQ:

                      Non-ephemeral messages persist until the user explicitly deletes them and are E2E synced to new devices. This produces a Slack-like experience, only encrypted! So when you add someone to a team, or add a new device for yourself, the messages are unlocked.

                      1. 1

                        But why only non-ephemeral ones? The article mentioned forward security but it makes no real sense to me. You could use new forward secure keys for the new communication…

                        1. 2

                          I thought that don’t-sync-to-new-devices was a feature. I thought the ephemeral option was for those messages that you want to send but not keep. Messages that don’t have value in the future (or do have liability in the future).

                          1. 1

                            ah, alright. that does make sense. For me, a new trusted device is a relatively arbitrary boundary to bounce ephemeral messages on, though.