Is Keybase the public key encryption platform that security mavens have been waiting for?
It’s been kicking around in slow-burning development for three years, during which time it has released a website, desktop app (Windows, Mac, Linux), mobile (Android, iOS) and chat apps. Last week came an extension to embed Keybase in the Chrome browser.
If this sounds like a standard messaging app mashup, what underpins Keybase is actually far more daring and, potentially, important – which is why we’re writing about it.
Keybase can be described as a system for users to generate a public encryption key (or upload their own existing ones) to verify their online identity with a high degree of certainty.
If this sounds a bit arcane, identity is the fundamental problem that lies at the root of many of security’s woes: nobody has any way of knowing someone is who they say they are and so must proceed based on risky assumptions.
Public key cryptography has tried to solve this by using either a hierarchy of trust (ie, certificates verified by an authority) or a “web of trust” (ie a network of users who vouch for each other), the latter a concept made famous PGP, Phil Zimmermann’s encryption software.
Web of trust sounds intriguing but turned out to be complex, which is why Keybase wants to reprise the idea – minus the hard corners.
Users verify their public key in Keybase through Twitter, Facebook, GitHub, Reddit, or Hacker News, each one boosting verification, the more the merrier. A hacker wanting to impersonate someone using a fake key would come up against a wall. In a sense, Keybase is a database of these proofs that verify a public identity.
Keybase wants to build security applications on top of this. With the new Chrome extension loaded, a blue button appears on the profiles of each registered service (such as Twitter) that allows Keybase users to DM each another with end-to-end security.
It also functions as a sort of social network that tells people how to communicate with someone using public keys, including initiating secure file exchanges. Users can follow one another and use keys to communicate securely.
For now, Keybase remains a work in progress. Marketing and documentation isn’t great for a company that had a $10.8m funding round in 2015, perhaps because it doesn’t want an influx at this stage.
Keybase might simply be trying to build a set of security capabilities that popularise public key encryption, or it might be trying to create a bigger platform that could be used in a number of ways by third parties. It’s not yet clear.
The biggest challenge will be to get users engaged in a world where some of what Keybase does is already covered, albeit imperfectly, by apps such as WhatsApp. Verification, identify and public-private keys are all very well but most users don’t understand their significance – or don’t care. Two decades ago, PGP struggled to break out for similar reasons. Security can’t afford history to repeat itself.