from Hacker News

Introducing Keybase Chat

by aston on 2/8/17, 6:00 PM with 192 comments

by malgorithms on 2/8/17, 6:23 PM
OP here! I had to trim the post down for brevity, but I thought the HN community in particular might be interested in the API side of things.
Undocumented in the post: you can invent channels for app-to-app communication from the JSON API. For example, it's possible with Keybase chat to have a program posting encrypted messages for another person or program, without cluttering up the visual chat interface.
Also - to test chat we've cut the invitation requirement. You should be able to try the app without anyone inviting you.
by bgentry on 2/8/17, 7:28 PM
This really does look great.
Edit: since I haven't been running Keybase for the past 2 weeks, I missed the fact that they disabled continuous background proof verification due to my concerns: https://github.com/keybase/keybase-issues/issues/2782#issuec...
Good on them! The rest of this comment is not actually applicable anymore and you should give Keybase Chat a try :)
Original comment:
-----------------
My biggest concern with it, however, is that the Keybase client is now frequently verifying all my contacts' proofs. Many of these verifications are for personal websites and are done over port 80 or involve DNS lookups that my contacts control.
This leaks a great deal of metadata over the network about who my contacts are, and makes it easy for a hostile network to determine who I am if I'm running the Keybase app.
I reported this on GitHub when I noticed it and have unfortunately not been regularly running the Keybase app since: https://github.com/keybase/keybase-issues/issues/2782
I hope they decide on some sort of fix for this. They could at least not do verifications over insecure connections and arbitrary 3rd party DNS lookups without my explicit approval.
by cgijoe on 2/9/17, 3:39 AM
Warning to all OS X users: The Keybase Chat desktop app does a number of shady things that ultimately led me to delete it from my system. I am writing this purely as a public service announcement, to those who worry about installing unknown apps on their Macs. The Keybase Chat app:
(1) Requires administrator privileges to launch on first run, to install a "Helper Tool". The app does not explain what this tool does, where it lives, nor does the Keybase website.
(2) Installs a login (startup) item without asking permission, so Keybase will auto-launch on every boot.
(3) Installs a Finder Favorite in your Finder sidebar, without asking permission.
(4) Installs /usr/local/bin/keybase without asking permission.
(5) Installs /Library/PrivilegedHelperTools/keybase.Helper without asking permission.
(6) Installs /Library/LaunchDaemons/keybase.Helper.plist without asking permission.
(7) Installs ~/Library/LaunchAgents/keybase.* (3 files) without asking permission.
(8) Runs permanently in your menu bar, even if you quit the main app.
These things may all have good reasons and be benign, but they are too shady for me, so I deleted the app and all the files listed above. Apologies to the devs.
by Meph504 on 2/8/17, 8:03 PM
Umm has anyone read the lisc. for this application?
https://keybase.io/docs/terms
When providing Keybase or the Service with content, such as your name, username, photos, social media names, data or files, or causing content to be posted, stored or transmitted using or through the Service (“Your Content”), including but not limited to the Registration Data and any other personal identification information that you provide, you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service. Further, to the fullest extent permitted under applicable law, you waive your moral rights and promise not to assert such rights or any other intellectual property or publicity rights against us, our sublicensees, or our assignees.
That's a bridge too far, and someone needs to dial this back.
by x1798DE on 2/9/17, 12:56 AM
The continued fragmentation of chat into walled gardens is really annoying. I feel like Matrix has done a good job not only designing their protocol to be open and federated from the start, but also in that they are actively working to provide bridges to other services. It would be really nice if keybase would work to federate with Matrix servers.
(Link to Matrix service, since they have an un-googleable name: https://matrix.org. The only working client that I know of at the moment is https://riot.im)
by Jaruzel on 2/9/17, 9:16 AM
Why do all new chat clients look like Slack? We're rapidly moving towards a monoculture of chat UIs.
I'd like to see a return to less intrusive chat apps, with more minimal UIs that don't take up most of the desktop real estate. The most common screen resolution out there? 1366x768. I kid you not. IRC has it's many flaws, but the clients still understood the meaning of good information density.
People seem to forget that chat is a communication medium first and foremost, and not a multimedia based experience.
by problems on 2/8/17, 10:53 PM
I disagree with the idea of allowing backup/restore of conversations defeats forward secrecy. There's a big difference between decrypting past conversations and decrypting chat logs. I have full control over my chat logs, I can choose to delete them, not store them with some people, encrypt them with a different password and rotate them monthly, etc.
Even Signal and other apps store all your messages on your device, optionally locally encrypted.
Forward secrecy is so that you can't just steal the key and network traffic and get _all_ past messages, regardless of whether or not I wanted to archive them. And getting my live key doesn't mean getting all my archived logs.
by fiatjaf on 2/8/17, 9:21 PM
> What if we're living in a simulation? > > Keybase offers no guarantees against sophisticated side-channel attacks by higher-level entities.
ahahah, that's great!
by primigenus on 2/8/17, 7:21 PM
Hey malgorithms, this is great! I check the Keybase website every month or so for updates and discovered yesterday that there's a new logo, replacing the old thieving dog/ferret/raccoon with what appears to be a person's head with their hair in a bun holding a key. Can you give some background on the thinking behind this logo redesign? (Sorry it's not a question about chat, per say)
by coffeemug on 2/8/17, 7:22 PM
That looks spectacular, can't wait to try it tonight. Hope this software can overcome the network effects of existing systems. End-to-end encryption is really, really important, but I feel like the real game changer is being able to instantly chat with anybody online by just typing in their username.
by alexkadis on 2/8/17, 6:51 PM
Is it technically possible for Signal/Whatsapp to use Keybase keys in lieu of phone numbers? If so, how practical would it be to add this as an option?
by chias on 2/8/17, 7:34 PM
This is fantastic! I've been playing with it for a bit, and I'm loving it.
Question: since (encrypted) chat history is stored on keybase servers, does my chat history count against my KBFS quota? If so, how do I clear it out? If not, how do you mitigate against someone building a pseudo-FS on top of chat messages for free unlimited storage?
by adrianpike on 2/8/17, 6:47 PM
Wow, this is awesome! A colleague and I were just recently discussing how badly we feel the need for "encryption-first" chat software is - not tools that sell it as a feature, but tools that make it _the_ feature.
Great work KB team!
by hollander on 2/8/17, 7:57 PM
This looks great, but if you want this to work, you need Android and iOS support. When is that going to happen? Is that going to happen?
by pfraze on 2/8/17, 6:48 PM
Thoughts from skimming the post:
Using all of the associated accounts across services to do user lookup is really quite cool, and the CLI integration and public broadcasts look very fun. Nice work there.
Multi-device key management is one of the hardest tasks for end-to-end, but that's been taken seriously from the beginning by keybase, and I'm leaning toward optimism. The UX decisions for forward secrecy seem pretty reasonable as well.
by Nadya on 2/8/17, 7:18 PM
It'll be interesting to see if I ever receive messages from my fellow HN users now that it's a bit easier to do so without navigating my website to find my email address. I doubt it, but still.
I'll give it a run when I get home today. Since few of my contacts use Keybase, or would have any interest in Keybase, this is less "Wow! Awesome!" for me than the release of KBFS was - but it's still pretty cool.
I love how Keybase is expanding to be more than just a collection of "internet personas verified by a PGP signature" and am interested in what else you guys may have in the works.
E: Updated my profile info to make mention of Keybase Chat. And I don't even have it yet. ;)
by Walkman on 2/8/17, 11:39 PM
This is the last time I spam a Keybase thread with invite codes :)
https://keybase.io/inv/6953921e2f
https://keybase.io/inv/637bfd5d42
https://keybase.io/inv/20be67f672
by exabrial on 2/8/17, 9:33 PM
I love keybase. I am waiting for a password manager solution from them
by philip1209 on 2/9/17, 12:38 AM
This could be a great way to securely alert Github project maintainers about security vulnerabilities.
by ryanmarsh on 2/9/17, 1:44 AM
The "forgot your password" flow on keybase.io explicitly tells you whether or not the email address you enter has a valid account. Is this ok?
by martyvis on 2/9/17, 2:32 AM
111MB for the setup download (at least on Windows)?! What's in it apart from a chat app and encryption library?
by homakov on 2/9/17, 6:38 AM
How you managed to make Keybase.dmg 72MB when any Electron app is 120+?
by bballard1337 on 2/9/17, 6:01 PM
This is the reason I am so excited about Keybase. I can't comment on the integrity of the software but the vision is there. All encrypted everything is where I see the future of the internet.
Does anybody know if they are working on a mobile app for at least the chat system? I don't necessarily need the whole desktop app on the phone but encrypted chat would be fantastic. (Currently using Signal but would be open to using everything keybase in the future)
by mxuribe on 2/8/17, 8:58 PM
Sorry, I'm a little confused: is this a chat app client that still requires a central server to route messages around?
by daurnimator on 2/9/17, 1:51 AM
Why doesn't this seem to be in a release? The last release of the client was back in October: https://github.com/keybase/client/releases/tag/v1.0.18
by rabidrat on 2/8/17, 7:31 PM
I would love to have a linux curses client for encrypted chat. Something that irssi can connect to, perhaps?
by SamPatt on 2/8/17, 9:46 PM
I don't use Keybase on a regular basis yet but every time they announce something new I check it out again, and every time I'm impressed. I'm not sure what it will take for me to make the switch and use it regularly but if they keep this up I have no doubt it'll happen.
by zokier on 2/8/17, 8:37 PM
I'm not really sure about Keybase accumulating more and more services instead of focusing on integrating to existing ones. One of the initial attractions of Keybase (to me at least) was how the system was very simple, transparent, and not really dependent on keybase.io.
by johnflan on 2/9/17, 2:15 PM
It seems that this app and Slack are hugely influenced from the iPad style of app design. Why can't we have a window per chat session on the desktop and why do desktop users get wrapped apps? Is this an indication of the lack of perceived importance of the desktop?
by EGreg on 2/9/17, 2:46 AM
Hey Keybase, I have a question for you guys:
What if we launch our own apps and websites that would allow users to claim they are X on website Y. Do you have a way for them to use their public/private key pair from their keybase clients, to sign these claims?
I do not necessarily want these claims to be publicly available to everyone on website Y. I want them to be privately transmitted between website A and B, so people can't be tracked between domains.
by IanCal on 2/9/17, 6:42 AM
Argh! Please remove the typing animation! It's flipping between one two and three lines jerking the whole screen around on my phone.
by kseistrup on 2/9/17, 12:07 PM
Shameless plug: Before the Keybase [GUI] Chat was invented I hacked together this simple text-based client that uses twtxt formatted files to store private chats between two keybase users:
https://github.com/kseistrup/kbmsgr
PS: It doesn't use the Keybase chat API, and it never will.
by woodruffw on 2/8/17, 8:04 PM
Awesome! I've been using this for the past few weeks on and off, and the user experience is very pleasant.
Now that I know about the JSON API for chatting, I'll have to add it to my unofficial Ruby interface[1].
[1]: https://github.com/woodruffw/keybase-unofficial
by Splendor on 2/8/17, 10:14 PM
So how does this compare to Slack's free tier? Is there a user limit, channel limit, message history limit, etc.?
by amingilani on 2/9/17, 11:20 AM
If you need an invite, hit me up on Twitter! If you're trying to find a random person on the internet to chat with and test this out, hit me up on Keybase! :)
Use my HN username.
by kristianp on 2/9/17, 5:22 AM
Why does the page have 112px of top padding? Seems like a waste of space.
```
   body {
       overflow-x: hidden;
       padding: 112px 0 50px;
   }
```
by perrohunter on 2/8/17, 9:25 PM
Do you think this could end up the same way OpenID did?
by Dangeranger on 2/8/17, 8:29 PM
Saw this yesterday in the app, tried to use it and it failed.
Works like a charm today.
This should be very nice for ad-hoc secret exchange.
by james_pm on 2/8/17, 8:24 PM
The --public broadcast messages are interesting. Is a Twitter-style service part of the plans?
by mikaelf on 2/8/17, 8:45 PM
Played around with the chat in beta and it's super neat! Keybase really is keybae.
by brett40324 on 2/8/17, 11:54 PM
Key gen less than two minutes from phone - all around great UI signing up!
by warcode on 2/9/17, 12:58 PM
I tried to set the proxy setting but it still does not work?
by wslh on 2/8/17, 7:58 PM
If I don't have a keybase account, can I use this app?
by lightning1141 on 2/9/17, 2:08 PM
I think this tool is very cool.
by fiatjaf on 2/8/17, 8:45 PM
What is this paper key? I don't want a paper key! Now I have to write this and keep it in my pocket? No!
by rbcgerard on 2/9/17, 3:01 AM
iphone app please! until i can use it on my iphone its not that useful...
by misiti3780 on 2/8/17, 8:07 PM
this looks like a great codebase! thanks so much for open sourcing this.
by lewisl9029 on 2/9/17, 4:14 AM
This looks absolutely amazing!
Any plans for a web client for chat?