On 24/07/14 02:14, Sam Gleske wrote:
I'm hoping keybase.io http://keybase.io will hopefully resolve the
issue of identity checking with key fingerprints.
I've just scanned through [1]. I'm not convinced.
This quote is from the front page:
If you trust the client (our reference client is open source), then
the server can't give you the wrong key for maria without getting
caught or also compromising her twitter and github accounts.
This one from [1]:
For instance, when Joe wants to establish a connection to an identity
on Twitter, he would sign a statement of the first form, and then
post that statement both on Twitter and Keybase. Outside observers
can then reassure themselves that the accounts Joe on Keybase and
MrJoe on Twitter are controlled by the same person. This person is
usually the intended keyholder, but of course could be an attacker
who broke into both accounts.
The basic reasoning seems to be: if you want multiple websites to report
incorrect data to the user, you need to hack multiple websites.
Huh?
You only need to be able to MITM close to the victim, and manipulate all
data your victim sees. There's no need to hack any server; you only need
to hack one router and be able to fake SSL certificates. No matter how
many accounts you link, github, twitter, facebook, security is not
increased against a MITM close to you.
If they thought of this, why is there no mention at all of a MITM'ing
attacker?
It's perfectly possible to write a program that scans all data for
OpenPGP signatures by a specific key, and replaces them on the fly by
OpenPGP signatures by another key. There's no need to MITM all SSL web
traffic: just do the keybase.io traffic, parse the response, and then
MITM the sites mentioned by keybase.io, which the keybase client will
now check.
A laptop on the move, *not* always using the same VPN, might quickly
escape from the attacker and see the real data. However, the damage
might already be done. You might already have given your attacker that
plaintext that you were so worried about that you encrypted it.
The documentation in [1] is superficial, and my analysis is even more
superficial. This is just something that stood out to me.
HTH,
Peter.
[1] https://keybase.io/docs/server_security
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://digitalbrains.com/2012/openpgp-key-peter
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users