Keybase’s browser extension subverts its encryption

While they could have expanded better on their reasoning for not using iframes, I feel this is an overly dramatic post.<p>The browser extension is not their main product and they explicitly say so. The author is completely dismissing [0] the entire product just because of a side project, which in the worst case scenario could be fixed by the community by submitting a patch.<p>It is also strange that the author seems to feel the need to reinforce the sensationalism of this post by linking something completely unrelated to Keybase.<p>Also, where are the quotes on this post coming from? Where is the rest of the communication?<p>There is really nothing to see here.<p>[0] - &quot;Initially, I planned to take a closer look at the crypto in Keybase, to see whether I can find weaknesses in their implementation. But that’s off the table now.&quot;<p>[1] - &quot;But as experience shows (<a href="https:&#x2F;&#x2F;palant.de&#x2F;2018&#x2F;07&#x2F;11&#x2F;ftapi-secutransfer-the-secure-alternative-to-emails-not-quite" rel="nofollow">https:&#x2F;&#x2F;palant.de&#x2F;2018&#x2F;07&#x2F;11&#x2F;ftapi-secutransfer-the-secure-a...</a>), the claim “end-to-end encryption” doesn’t automatically translate into a secure implementation.&quot;

I have to say I am surprised and disappointed. Keybase has up until now been a shining example of doing crypto right but still accessible and easy to use. This decision falls strictly on the wrong side of the line of acceptable compromises.<p>&gt; there were technical reasons why iframes didn’t work, though I forget the details<p>It could be that there is one or a couple of engineers at Keybase who made this decision and are also the same entity that replied to the bug bounty. It feels like they haven&#x27;t thought it through properly or brought it up for proper discussion inside the organization. Let&#x27;s hope that they remedy this and adjust their general approach to this if this gets enough attention.<p>On the other hand, even if this is addresses, unfortunately it&#x27;s an indicator that other compromises in this category are done in other parts of Keybase.

&gt; Avoiding it is fairly easy, by isolating all of the extension’s user interface in an &lt;iframe&gt; element.<p>Right, but if the social network website can modify the HTML that the Keybase extension is injecting, then surely it can also modify the iframe&#x27;s URL to an attacker-controlled one? Or, for that matter, replace the event handler on the &quot;Keybase Chat&quot; button itself before it even gets clicked?<p>I&#x27;m not an extension developer, so there might be APIs available to extensions or restrictions on webpage JS that I&#x27;m not aware of, but I suspect the only secure way to do this (if you don&#x27;t trust the page you&#x27;re embedding in) might be to have the extension communicate with the native Keybase app, which then opens a chat window with the appropriate user, similar to how the 1Password browser extension works.

Keybase also silently subverts smartcards for in-memory keys per my findings here: <a href="https:&#x2F;&#x2F;github.com&#x2F;keybase&#x2F;keybase-issues&#x2F;issues&#x2F;1946" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keybase&#x2F;keybase-issues&#x2F;issues&#x2F;1946</a><p>In general I find Keybase to be a step forward in user experience and two steps backwards in terms of actual security. They just don&#x27;t seem to care about the latter at all and have not demonstrated any cooperation with standards bodies like the OpenPGP working group where members have expressed interest multiple times in adding generic URL uids to the openpgp public key itself to replicate and decentralize the idea of social media based trust bootstrapping (the one good idea from Keybase in spite of terrible execution). Instead they insist on their complex proprietary walled garden system that does not integrate with existing keyservers and throws everything on the bitcoin blockchain for reasons.<p>Keybase has become the IE of crypto and I can&#x27;t take any security project seriously that even -integrates- with them.

So I wrote essentially the same chrome extension (albeit a different interface, which definitely allows for this vulnerability):<p><a href="http:&#x2F;&#x2F;lettergram.github.io&#x2F;AnyCrypt&#x2F;" rel="nofollow">http:&#x2F;&#x2F;lettergram.github.io&#x2F;AnyCrypt&#x2F;</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;lettergram&#x2F;AnyCrypt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lettergram&#x2F;AnyCrypt</a><p><a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;anycrypt&#x2F;hddfngccl.." rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;anycrypt&#x2F;hddfngccl...</a>.<p>It worked fairly well (haven&#x27;t tested it in a bit), but I had to reverse engineer pretty much all the Keybase APIs at the time.<p>The thing is, the author is totally correct. I wrote mine as a proof of concept, and quite frankly was surprised that the Keybase chrome extension (even a year ago when I checked) had the same issue(s) my implementation did...<p>That being said, this isn&#x27;t an &quot;end-of-the-world&quot; kind of thing, I think there are several easy solutions to this problem as the author pointed out. Personally though, only 3 people use my extension with me. I couldn&#x27;t get anyone to use the Keybase extension.. so I really think they should just update that phrasing on their extension page (perhaps add a warning) and let it be.

It cannot be said often enough: when you reference someone else&#x27;s JavaScript in your solution in a way in which it has access to either the DOM or user interface components, it&#x27;s no longer your solution. You therefore cannot, with any level of integrity claim that your solution is secure as you simply don&#x27;t know what&#x27;s happening in that bit of JS which is loaded by the solution into the user-space.

The keybase.io website offers a &quot;Please send us feedback &amp; bug reports&quot; link[0]. As a keybase user, I intend to do so.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;keybase&#x2F;client&#x2F;issues" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;keybase&#x2F;client&#x2F;issues</a>

It seems like some analytics software like FullStory and possibly MixPanel would automatically log the messages.<p>I just signed up for keybase and was definitely steered towards installing the browser extension. I quickly uninstalled it because I found it annoying, though.

if you are going to encrypt a message, it must at some point be input without encryption. Just like you wouldn&#x27;t type a sensitive message with someone looking over your shoulder, you can use common sense and limit use of this extension.<p>Keybase is fantastic.<p>i&#x27;ve been using keybase for 2 years now and have had no issue accessing my files through kbfs.<p>with keybase teams you can store secrets at rest and make them easy to access across your team.<p>the client loads 10x faster then slack and has nice ux.

This isn&#x27;t a hard bug to avoid, but it would take completely reimplementing the extension so that all of its UI beyond the &quot;keybase chat&quot; button lives in the extension rather than being injected into the page, and having the chat button do nothing but call the extension with the username of the intended recipient.<p>I understand why Keybase principals don&#x27;t want to do that, because the extension is an addon that probably doesn&#x27;t do anything in particular for them as far as adoption goes. I&#x27;m not sure I understand why they continue to ship the existing extension, knowing that it&#x27;s insecure.<p>And I don&#x27;t see any excuse at all for editing the bug report on Github out of existence - that strikes me as sufficiently sketchy that I may no longer use Keybase at all, and certainly will no longer rely on it to be especially secure.

Where do those quotes from Keybase come from? Private email?

Meh. I wouldn&#x27;t (and didn&#x27;t) trust Keybase anyway.<p>My reasoning is that you&#x27;re given some encryption software (keybase javscript on its website or browser extension) but the software is changing all the time: it might get re-downloaded on a tab refresh, the extension might download a &quot;new version&quot; or whatever... So basically you&#x27;re supposed to trust an always changing piece of code (can you be auditing every piece of javascript that you download? every version of that javascript?) and you running in a super-connected runtime (like a browser). What could possibly go wrong?<p>I am not an encryption expert at all, but I feel a lot safer doing my crypto on a regular environment (linux shell or whatever) and then sending the cyphertext via any other mean (web, email, whatever).<p>Back in the day you could use pidgin to chat on the Facebook chat, and it was possible (and relatively easy) to use the OTR plugin to have really end-to-end encrypted chats. But (guess what?) Facebook later disabled the possibility interacting with its chat via external non-facebook-branded clients (afaik)

Keybase is fine for throwaway encryption that only needs short-term wire security to protect data that will be useless next month.<p>I wouldn&#x27;t use a keybase key for anything that should be rendered eternally unbreakable, based on side-channel threat analysis alone. Private keys are not something that should be sourced from a website.