Ask HN: Does anyone actually use Keybase?

59 points by aportnoy ↗ HN
Every other HN profile lists a Keybase public key and a proof, but has anyone actually needed to prove their identity on HN? Does anyone use Keybase for encrypted communication?

72 comments

[ 3.9 ms ] story [ 141 ms ] thread
Why would anyone tell you if they did?
Why would anyone want to hide that? Not an expert in security, maybe I don't have the mental model.
It's just a way of minimising your footprint. If you google me, and can't find what services I use, it makes it that much harder to try and find a foothold into hacking something, or building up a profile.
Then you wouldn't be using Keybase if that was part of your threat model - since a significant point of using it is to tie together and prove identities across some popular sites on the net.

See: https://keybase.io/nadya

This is why I use a different username on each site. Some people use the same username on HN, github, reddit, gmail, etc. (and then they complain about internet privacy and being tracked.)
It's hard enough to get people to use signal...
I created an account last week, but I haven't used it yet.
(comment deleted)
I don’t, but I’ve rarely needed to send files etc to other hacker news users.

I would LOVE it if I could use keybase to send a copy of my passport to companies (for example) which is nessesary for day to day life, and always done in a redicously insecure way. :(

To be clear, I 100% support keybase, and if I thought there was a chance in hell of getting some other non-tech person to use it, I would put in the effort.

I just don’t see myself being able to convince some recruiter, or HR person or something to sign up and install keybase just to get a file from me

I'd be more worried about where they store that passport picture instead of how it gets there.
I've thought about this problem, specially in LATAM countries were gov agencies are still ages behind in terms of security/compliance and sharing these type of documents. There is definitely a need for this.
I've been using it for encrypted communication for years, but I only provided an HN identity because I was essentially collecting stamps.
specifically to prove my identity? no.

i used the filestorage/filesharing earlier and was happy about the git repository support though.

there were however very few of us, and we all dropped it when they jumped on the crypto currency wagon.

I use it solely for hacker cred.
I’ve had others use their browser-based encryption form to send me sensitive data before — that’s pretty handy.
I used it to sign my "will"...reading this reminds me I gotta get a real lawyer to take a look at that!
It has mostly replaced gpg in my usage. It's not common, but it's present. HashiCorp Vault has a nice integration.
My current team and I use it to share files for the most part.
Few engineers at my start-up were using keybase to share credentials between them, as well as between company and/or personal laptops. A lot of information was exposed to the wild internet (machine names, developer names, connection between them,...) posing a clear security risk. My experience is that most engineers do not understand how to safely use keybase at that point.
How is that information a security problem greater than say LinkedIn?

Also, I'm curious where machine names were being exposed in Keybase?

Machine names, example from a Keybase founder: https://keybase.io/chris/devices
You choose those names when you add the device. It can be anything.

That said, it would probably be good if they added a note saying that the device name you choose is public, which is not really clear in the current UI.

I use it. I've been impressed with all the improvements they've made over the years. I've struggled to get other people to use it though, but I have had some success and when I've talked other people into signing up it has worked well.
I've reached out to people with it, and it turns out that they actually respond! Who'd've thunk? It's nice for encrypted cloud storage too.
Yes, I use its git feature for certain projects, and have used it for chat for a while. I have found if I come across a developer who has a profile its the easiest way to get in touch with them.
I've started using kbfs for personal notes and encrypted git for financial planning code.

We're also trying Keybase out as a family chat channel. I really like the CLI interface and the integration with kbfs, and of course the e2e encryption. We're probably going to stick with Slack for now, though, mainly because it runs on Chromebooks.

I have used Keybase since it first showed up on HN for Comms and Git. Technically I have done the proofs for identity, but no one cares about that.

The Git usage was really nice. It's fast and secure. While I didn't use it for most projects (because I want them on github/gitlab for various reasons), it was very useful for backing up machine specific configs and history (using a script and mackup). Knowing that it was well encrypted made me not worry about what was being backed up, if there were credentials, etc.

As for comms, I used the 1:1 chat with a friend for quite a while. While it worked, it's slow. Sending messages is a little slow, sending images is VERY slow. Anytime the app is closed (like constantly on the phone), re-open times were slow (for decryption). Eventually I gave it up and moved those few chats over to Telegram (Because it's secure enough for most conversations).

Did you consider Signal when you moved to Telegram, if so any particular reason(s)?
I tried Signal and Telegram. But I prefer Wire instead. Its secure by default, cross-platform, multi-device, and simple enough for Mom & Dad to use.
How does that differ from Signal?
No Signal Web app. So, not as cross-platform.
Wire & Telegram are both cloud connected, while Apps on the Signal protocol depend on your phone to be functioning and in reach AFAIK (huge annoyance/problem for me).
That's not true about Signal. You may probably be facing some bug that should be reported to the Signal team.

Telegram is completely cloud based. So all your conversations, except secret chats that are end-to-end encrypted, are stored on Telegram servers in plain text for as long as your account is active. This is why you can get a new device, activate it for your account and get all your conversations back on it from the Telegram servers.

Wire and Signal work differently. They use their servers as a temporary storage to hold your messages until the recipient comes online and then deliver them. Wire also retains the messages for a few days to allow delivery to multiple devices that a user may be using, with each device possibly coming online at different times. Signal doesn't have to support this because it's tied only to a single device, which is your phone.

Not the GP, but Telegram > Wire > Signal on user experience, features, message delivery speed, etc. There's simply no comparison at all on these aspects.
Our team uses it to share sensitive docs (logs, user details, api keys etc.) and occasionally as a secure chat channel (i.e. if we want to communicate off work Slack).

I have a copy of some important docs (taxes, etc.) in my private KBFS.

The Keybase filesystem docs still contain the text:

"At the time of this document, there are very few people using this system. We're just getting started testing. Note that we could, hypothetically, lose your data at any time. Or push a bug that makes you throw away your private keys. Ugh, burn."

And considering that kbfs is one of the more mature parts of Keybase, it has never inspired confidence in me that any of it is really ready for serious use.

Keybase is shitty. They had the ambition to somehow build a new generation of keyservers, they built it using technology that could easily be a distributed protocol and then they made it a completely centralized and commercial bs crypto startup. So much waste since keyservers and distributed identity (and reputation, and naming system in general) is a field where everything is still to do. They could have overthrown DNS (machine names) and HTTPS (certified names; any CA-based ssl system) and google contact ("people" names). I'm very salty that they've diverted so much hype in that area for so few results.
Yes, mostly as a means of verifying identity across accounts.

I'd probably pay a few bucks a year (thinking 20) for the base identity service, if we're being frank. Even if the only separation between a free tier and a paid tier is e.g. more service integrations and an uptime SLA... sure, why not?

I deleted my account after not using it for a long time for anything.