Yeah, ok. Keybase is deader than dead.

"So, our shortest-term directive is to significantly improve our security effectiveness, by working on a product that's that much bigger than Keybase. We can't be more specific than that, because we're just diving in."

Yikes! What are the best keybase alternatives?

@john @fribbledom depends on your usecase. Today you can announce your key using Web Key Directory or with a DNS Record

@john @fribbledom there are none, really. We had to do all our key networking stuff by hand before and we may have to again, which was harder and worse.

@john @fribbledom I wish we can just drop the server part.

(or maybe move the data to Holo's infrastructure; their architecture is pretty similar afaik)

@Parnikkapore @fribbledom

How do you envision dropping the server? Going full P2P? It might be a bit tricky, because if I have non-public data and am trying to fetch semi-public data that's only supposed to be accessible to those who have the non-public data... who holds this semi-private relational database? If it's the user themselves they may go offline.

So for example, you have my phone number and are trying to fetch a record that has my public key, email, and

@john @fribbledom Ok, I might have misunderstood the functionality of Keybase then. I didn't realize the account data is semi-private.

@Parnikkapore @fribbledom

Well I think @weird_hell made the point that it depends on your use case.

With keybase you can say I'm discoverable with these data fields, when someone discovers me by that these (possibly overlapping) data fields get revealed to them, and this other data is just public-public.

If someone already has my phone number I'm OK with them having most things, but I wouldn't want to broadcast my email address to the whole public, and definitely not my phone number.

@Parnikkapore @fribbledom @weird_hell
I think I'd be OK with my public keys to be generally known to anyone/everyone.

@john @fribbledom @weird_hell Oh, certain fields cannot be used for discovery. Well, that is indeed going to be problematic.

@Parnikkapore @fribbledom @weird_hell

How about a scheme where the server (or distributed replacement) knows a mapping of hash to obfuscated data.
The client forms the request like, form the known datum in a known format of text, for example:
hash that, get (for example): 330eabe022b5876344c6f5b8f12a2761
Send that as the request. The app finds it in the dictionary/mapping/db, returns a block of obfuscated/encrypted data

@Parnikkapore @fribbledom @weird_hell
Then the client uses the original pre-hash text "tel:+1-123-456-7890" as a key to some clever but probably not hardened cryptography scheme to decrypt it and get a record (maybe in json) that has whatever it is I was willing to share.

And hopefully it would be secure enough that the server never actually has any knowledge about what it is it's sharing?

@Parnikkapore @fribbledom @weird_hell

My mistake. None of that works, because it contains no way to verify the info I feed into the system - nothing to stop me from claiming your phone number.

That might actually be the hardest part, integrating with all those different systems to verify ownership.

@john @fribbledom @weird_hell I think Keybase already does independent verification in the app for every website except Mastodon, so I thought that would be pretty easy.


I'm suggesting reproducing it would be quite difficult. I was thinking of a Keybase alternative.

@fribbledom That's some of the most oxymoronic enterprise speak I've heard in a long time wow


Two years later:
"Did you like our signature service?
Then you'll LOVE our set of licensed standard libraries for secure doorbells! We've already partnered with no one you've ever heard of!"

@fribbledom Keybase has one of the most strange success stories... Unbelievable...

@fribbledom I'm a SW guys with some background in security, and honestly, that quote is not what's worrying me. It's basically business code for "right now we're being pulled in to look at Zoom from a security standpoint, and we have no idea how bad or good it is". I'd be more worried if they'd said "now we'll be working on the big changes to which this acquisition will usher".

Ah, and I'm using pass on Linux. :)

@fribbledom 😂
Can't claim they don't have a sense of humor!

@fribbledom I didn't particularly like keybase to start with, or think it was a very good idea, but this makes it a truly terrible one.

@fribbledom What would scare me more is something unthinkable like Microsoft acquiring Canonical. THAT would be a nightmare!


<cynical> Why? That's our only hope of ever getting rid of Canonical.

@fribbledom Congratulations, Keybase main team! *And I mean it*. Achievement unlocked. Creating something, making it somewhat interesting, selling it - was the original plan? The idea most likely was inspired by their previous startup - OKCupid. 👏

@lightone @fribbledom like the startup version of the pump and dump scam, make an OK product, get acquired, run away with cash, and repeat

@fribbledom best part from keybase blog

keybases future in zooms hands 😂😂

like shitting on a pancake and hoping not to taste shite

@fribbledom I was not so skeptical about #GitHub when it got acquired by #Microsoft because Microsoft have been heading in the right direction for a while now.

But the last section of that announcement blog post confirmed that they're just dead fish in the water.

I guess I kind of knew this was going to happen when they switched from verifying identities to just instant messaging; but I least expected it to be #zoom, of all companies!

@fribbledom keybase sounded very dead already when they added "cryptocurrency" as a top-level function in their client.

So they were either scammers, or criminally gullible. Or both.

@fribbledom Such a shame. I saw a "key management" tool that purported to be better than keybase, but do you know of any serious contenders to replace what keybase does as a way to prove connectedness?

@fribbledom an operating system? Like Chrome OS except it's Keybase instead of Chrome

By following their moves you are playing their game. You should anticipate them. How...know thyself.
You are a part of a system that you can not escape.
The environment is stronger than you, learn more about it so you will be able to change it, everything that is happened is happened for a reason, more or less clear. If you're interested on accept the changing, just ask for more.

@fribbledom I tried Keybase once, back in 2014 or so as I recall.

While it *technically* worked, it was nonetheless a total waste of my time. Basically, it was an excuse for people to go to "key parties". But, after that, literally was never used again.

@fribbledom I can't decide if this is great news or horrible news. Keybase has, in my opinion, always suffered from a lack of adoption. Zoom suffered from a lack of security. This could be a great fit for one or both. And/or it could be a disaster for one/both.

@fribbledom WHAT THE ACTUAL FCUK?! 😱

Of all the companies, #Zoom? Seriously @keybase ? 🤦‍♂️

@fribbledom Thank you *very* much for the heads up. Also *rather a lot of muffled cussing*


@fribbledom Keybase account … deleted. I knew that you had to search an exit strategy but this is mine …

"...even more secure."


I think I'll delete my Keybase account now...

Argh, to bad. I use it mostly for having an encrypted backup of my private gits in case I destroy my own hosting. I'm bad at backups. I guess I have to look for alternatives then. Recommendations?

@fribbledom @lastfuture I deleted my Keybase account immediately. Nothing good can come from this for Keybase.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!