“I bet that wasn’t in your threat model.” So the future of Keybase, perhaps CLDC’s most capable and secure recommendation for dissident organizers, is now in doubt, because of COVID-19. Thanks, coronavirus! The story so far: Zoom became very, very popular in a very, very short time after stay-at-home orders sent companies, universities, doctor’s appointments, yoga classes, and everything else to Zoom for video conferencing services. Then the Intercept and CitizenLab pointed out that Zoom’s crypto is terrible (and we have been pointing this out for years). This put huge pressure on Zoom to up their security game. And they did it by buying possibly the best secure messaging app out there—Keybase—plus the Keybase team and all of its assets.
The first thing we need to emphasize: now is not the time to jump ship and delete your Keybase account. In the short-term, the Keybase servers are still up and running, the app is still available (with a major update promised soon), and it still uses robust, open-source crypto. In fact, what makes Keybase particularly strong is its emphasis on precluding attacks by the Keybase team itself*, and that is still true.
But, in the long-term, what are the best-possible and worst-possible outcomes?
In the worst case, Keybase stops being developed and becomes no longer available. We don’t expect this would happen within a year. Zoom may adopt some Keybase features (end-to-end encrypted team messaging), but only make it available to giant corps with giant budgets.
In the best case, Keybase’s priorities take root at Zoom (strong, verifiable encryption, open-source development), and Zoom provides an open-source client that does everything Keybase does plus end-to-end encrypted web conferencing.
According to Zoom, within two weeks (Friday May 22, 2020) a new “detailed draft cryptographic design” will be released as the basis for consultations with experts and civil society to refine their approach. We’ll see.
So, what do we recommend right now?
- Please keep using Keybase if you are already using it and feel safe, secure, and empowered doing so.
- Establish an alternate secure channel (always a good idea!) to reach your contacts, such as Signal, Wire, or Protonmail (which has gotten much better!)
- Backup any files you have in Keybase (which you should always do anyway).
- If are considering adopting Keybase, do so knowing that while it is safe to do so, things could change a lot over the next year (which is also always true for everything in the infotech world).
The CLDC Digital Security team continues to explore alternatives and we’ll keep you posted on Keybase itself and promising alternatives. Stay tuned, and stay safe out there.