Is the Keybase secure messaging browser extension safe to use or not?
Respected researcher Wladimir Palant (of AdBlock Plus fame) is so convinced that it isn’t that he has recommended users “uninstall the Keybase browser extension ASAP,” after he discovered what looks like a gap in its claim to offer end-to-end encryption.
As covered previously, Keybase is a desktop messaging app (Windows, Mac and Linux), which can also be used on mobiles (Android and iOS) and, from last year, through browser extensions for Chrome and Firefox.
The extension is a useful way to connect to other Keybase users by advertising its use through profiles on Facebook, Twitter, GitHub, and Reddit.
If Firefox’s daily stats are anything to go by, this method isn’t hugely popular, with fewer than 2,000 daily users – and Palant’s security assessment is unlikely to help its popularity.
Behind the scenes, every message sent via browser chat is passed to the local desktop app, which is the bit that does the encryption. However, according to Palant, messages are unencrypted as they are sent to the app – hardly the “end-to-end encryption” promised on the Keybase website.
Writes Palant:
The Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption.
In fairness, the extension’s download page on the Keybase website clearly mentions the consequences of a site or browser compromise, although perhaps not in a way the average user will understand or remember.
In Palant’s view, the issue could be avoided by isolating the extension’s user interface in an <iframe>. When he put this to Keybase, it reportedly told him that “there were technical reasons why iframes didn’t work.”
Should I continue to use Keybase?
As far as the desktop and mobile app is concerned, yes. There is no evidence that they don’t work as advertised. As for the extensions, it’s a trade-off between convenience and security. Having a Keybase button beside your profile is a good way to advertise the fact that you’re using it. However, if absolute privacy is a must, use the extension to establish contact before moving to the desktop or mobile app.
Most important of all, bear in mind that Keybase is intended not just as another encrypted messaging app – there are plenty of those already – but as a database of proofs that set out to verify the identity of a contact. For anyone who values this, it still remains a feature that sets Keybase apart.