Public encryption is great. It is a mature technology an an industry standard. The problem is, no one is actually using it. Or rather, whenever it is used, it is abstracted away, and hidden behind layers of misdirection. Why? Because it’s annoying.
Yes, you heard it right. It’s not hard. There is nothing inherently hard about generating private and public key pairs. There is also nothing inherently difficult about managing them. It’s just annoying because the tools we have aren’t all that great, the integration with mail clients has been shitty for years and actually keeping track of your keys is a pain in the ass.
I recently looked at my key-chain and realized that it contained about a dozen public keys that I have not used or even thought about in years. Were any of these keys still valid? Were the emails they were keyed to still in service? There was no way for me to know any of it. In theory, if you generate a new key pair, you can revoke the old key and push that information to the key servers. In practice however, private keys get lost, or worse – you forget their pass phrases, leaving you no means to generate the revocation certs. I know that there are probably five or six different public keys floating out there with my name attached to them – and I have managed to lose or get locked out of each and every one of them.
Key servers, as useful as they might be, are not an authoritative. Firstly, they are polluted with thousands of defunct keys that may never be revoked, because they were generated by teenagers going though their 1337 h4x0r stage, and then promptly forgotten few years later. Secondly, anyone can publish a public key. The only identifying information that is attached to a public key is a name and an email – the two things everyone knows about you already, and only one of these is semi-unique. Emails is slowly fading away as a unique identifier anyway.
There is really no easy way to verify validity of a public key found on a key-server, other than asking the alleged owner directly. And if you have to ask someone about the key, they might as well just send it to you right there and then, making key servers completely superfluous and unnecessary.
Wouldn’t it be awesome, if there was a modern web service or database, where you could sign up, register your public key, and have it tied to your online identities that are actually relevant: like your twitter, github and your personal blog for example? Well, someone just made exactly that and named it keybase.io.
If you follow me on Twitter you have probably seen me tweetign up a storm about it in the past few weeks. It was mostly praise, because I really like the service. It’s not perfect, but I really think it is a step in the right direction. That direction being: making public crypto more accessible, and less of a pain in the ass to use. Keybase aims to bring modern UX to the land of cryptography.
I know, I know – it sounds like sacrilege. For decades the mantra of security community has been: good Crypto is hard to develop and therefore it should be hard to use. So a lot of people hate on Keybase just for attempting to make it a bit less painful and, dare I say it, fun.
Let’s say you want to confidentially tell that dude who writes Terminally Incoherent that he is so wrong he should immediately kill himself (or as we know it in our industry “the standard tech community greeting” – this is usually how developers say hello to each other) , but you do not have his public key… Nor do you know his stupid name, or his stupid email – you only know his stupid URL where he posts all the wrong things, actively giving you cancer, and ruining your community. What do you do? You go to Keybase and type in “terminally” in the search box:
Bam! My name comes right up. You can click on it, and you will be taken to a neat profile page that lists, among other things my full name, twitter handle, github account, any web sites I cared to register and also my public key’s fingerprint:
You might ask, why should you choose to trust Keybase to be the authoritative public key directory. After all, it is just a random project threw together by some nerds, and they have nice modern layout and hand drawn artwork on their site meaning they are probably some silly hipster designers and not Real Developers™. Well, you shouldn’t. Keybase doesn’t want to be a key authority – they want to be a public directory. Which is why they require you to prove the ownership of the accounts and websites you register with it by posting or uploading a signed payload message. That message is to remain on our account and/or server and be publicly accessible. This means that if you ever lose control or ownership of one of the sites and services, you can remove it from Keybase, and if you get locked out of Keybase account you can just delete all your proofs. An account without working proofs – or worse, with proofs that are marked as invalid will then set off red flags for anyone searching the database.
But it does more than that. It actually makes sending encrypted messages dumb easy. If you want to send me encrypted hate mail (please, please, please do not send me hate mail) you don’t need a GPG client installed. You don’t need to generate a key pair. In fact, you don’t need to know anything about public encryption. All you need to know is that there is a big “encrypt” button on my Keybase profile. You can click on it, type our insults into the box, hit a button and you will get a nice, pretty block of ciphertext you can now paste into email, comment box, or print out on a piece of paper, photograph it on a wooden table, and fax me the photograph.
I’m pretty sure anyone can do this. Decrypting the message might be a bit less complicated. You can do it the hard way, using your GPG client of choice. Keybase does provide a really neat command line client which, by my estimation is about 615% more intuitive than the standard gnu gpg client which it wraps around, so you can use that. And, if you are not too paranoid, you can choose to trust Keybase with a copy of your private key (they promise they’ll encrypt it real hard) so that you can decrypt stuff in your browser.
That last part is a bit risky. If Keybase is ever compromised, or has to comply with some governmental coercion then your private key is forfeit. You can mitigate some of the risk by choosing a strong pass phrase which Keybase does dot store in their database, which is a pretty good practice. So if you are willing to put the safety of your encrypted communication in their hands, you do have an option to make things super intuitive and easy. If you choose not to trust them, everything still works very smoothly: you just need to drop down to the command line to decrypt or sign messages. Encryption remains painless and web based though.
While this might seem like an extended infomercial, it isn’t because Keybase is still in closed beta. But, I do have invitations and I can hook you up. Basically my whole reason of posting this blog is to find takers for these invites that are burning a hole in my virtual pocket, and to gain new followers. Right now I only follow few people and have even fewer people following me so I feel inadequate. My e-ego needs stroking guys, so get on Keybase and fucking follow me right now. And let me know if you need an invite.