Keybase, we have a problem.

The Keybase software and service are both littered with severe bugs that create a security and legal nightmare. Here are some of the issues:

  • Deception: Their software is a server masquerading as a client app. They simply call it an “app” on this page: https://keybase.io/docs/the_app/install_linux but it’s actually a surreptitious server that runs continuously in the background as a daemon.

  • Deception: Tor mode serves only to mislead users. The tool actually surreptitiously phones home to the central server of Keybase, Inc. without using Tor at all. This is not the usual DNS leak that Tor users are accustomed to, the connection itself takes place outside of the #Tor network. It’s not incidental. This is in their privacy policy: “When you access or use the Service,we automatically collect and store information about your browsing habits and your use of the Service (“Usage Information”),including: a. Your computer’s IP address… f. Session times and lengths”

  • Malice: Keybase is designed to reverse users’ edits to the run_keybase script. So users who try to patch the leaks by introducing torsocks wrappers in that script will learn who really owns that tool on the next upgrade or downgrade, when the script is overwritten. The overwriting is also silent, so some users will be unaware when their traffic becomes exposed. This also means adding firejail sandboxing to that script will also be reversed. It’s no accident, they enforce it in the ToS that you agree to: “We may automatically check your version of the Software. We may also automatically download to your computer or device new versions of the Software.”

  • SoftwareFreedom: The javascript on www.keybase.io is non-free software (it fails the #LibreJS test).

  • Malice: There are so many security bugs that keybase developer Jack O’Connor (“oconnor663”) is outright deleting some of the more embarrassing security-critical bug reports. This censorship is the most malicious variety because it blocks other users from becoming aware of pitfalls in software that they have trusted. (Hence this article, which is out of reach for Jack O’Connor to censor)

  • Malice: The login webform is coded as a pop-up to force users to disable their ad blockers.

  • Malice: Users who are wise enough to distrust the keybase server have no way to receive messages that are collected through the Keybase Chat mechanism.

  • Deception: People who send messages using Keybase Chat are not given feedback on non-delivery. So humans are actually composing messages that are silently black-holed! Nothing is more reckless and irresponsible than a messaging service that fails to deliver without telling the sender. What’s even more perverse is that non-delivery is not a rare event-- it’s simply a matter of the recipient not running their junk software. So it’s designed to cause widespread harm, the scale of which that could provoke a class action. So they’ve actually written a clause in their ToS to attempt to block class actions: ‘Any Claim must be brought in the respective party’s individual capacity, and not as a plaintiff or class member in any purported class, collective,representative, multiple plaintiff, or similar proceeding (“Class Action”).’ They also have: INDEMNIFICATION, LIMITATION OF LIABILITY, ARBITRATION, and NO WARRANTY clauses to block all actionability of their malice.

  • Bug: Further exacerbating the previous two issues is the fact that the “Keybase Chat” button cannot be disabled. Users not running the dodgy software are still forced to have this blackhole-feeding mechanism on their profiles.

  • Hypocrisy: Keybase sends all notifications in-the-clear as plaintext despite having the recipients pubkey and having built their own software to use it. Keybase, Inc does not eat their own dog food.

  • Bug: If you disable the (insecure) notifications and you are not running their (insecure) software, then you have no way of knowing that someone has tried to send a message. So human-written messages are not only black-holed, but both sender and recipient are unaware of the non-delivery.

  • Bug: The Keybase installer creates the directory “/keybase” with all world privileges (and yes, they root it in “/”). The keybase developers have said they believe that mounting a filesystem to that directory blocks access to it (so they are unaware of bind mounts).

  • Malice: advertising is opt-out, not opt-in. From their ToS: “we may send you communications…promotional information and materials…We give you the opportunity to opt-out of receiving promotional electronic mail from us by following the opt-out instructions provided in the message.” They are encouraging users to use an unsubscribe link in a spam message. Informed users know is a bad idea, as it signals that an e-mail address is actively in use.

  • Bug: Keybase does not sign their e-mail messages, thus exposing their users to phishing attacks. Keybase, Inc again demonstrates they don’t eat their own dog food.

  • Deception: They say files are end-to-end encrypted, but this legal loophole gives them immunity for any shenanigans in that regard: “We collect and store files and information that you transmit to other parties using the Service or that you elect to store on the Service.”

  • Deception: This appears on the Keybase website: “The Keybase website is ok, but the Keybase app is faster, safer, and more powerful than doing it in a browser.” When they say the “website is ok”, it’s a gross oversight to imply that you can rely on the website alone when doing so entails forfeiting access to inbound messages (for which the collection cannot be disabled). And when they say the “app is safer”, it’s a lie.