A recently released Chrome extension, developed by the public key crypto database Keybase, brought end-to-end encrypted messaging to several apps this week.
Keybase, a service that allows users to identify themselves with a public encryption key, introduced its end-to-end encrypted chat feature back in February, but the Chrome extension – unveiled Wednesday – bridges the service’s chat functionality to apps such as Twitter, Facebook, and Reddit.
https://twitter.com/malgorithms/status/867438467390812160
The extension drops a round, blue button onto user profiles on services such as Reddit and GitHub. Once clicked, the button displays an embedded chat box – within the app – that allows Keybase users to message individuals, provided they’re also using Keybase.
According to a FAQ on the feature, posted Wednesday, the extension passes the text to Keybase, which encrypts the message, then sends it through the service’s chat feature. Even if a recipient hasn’t joined Keybase yet, the service claims it will encrypt any messages sent to the user and decrypt them whenever they join Keybase.
Similar to chat apps like WhatsApp and Signal, messages sent via Keybase can’t be read or retrieved by Keybase since they’re end-to-end encrypted.
“At no point in Keybase’s protocol does Keybase ever have the keys necessary to read your messages. This is end-to-end encryption, powered by the convenience of public social media usernames,” reads a description of the extension on the the Chrome Web Store.
Keybase verifies users through social media services such as Facebook, GitHub, Twitter, Reddit, and Ycombinator’s Hacker News site, meaning users on those platforms can now use Keybase’s encrypted chat feature to send messages.
According to Andrey Petrov, who helped develop the feature, the project blossomed out of an idea: “A ‘keybase chat reply’ button in Reddit threads.”
“Building on top of the extension menu, I prototyped a feature which passively queried Keybase whenever a profile was visited. If the profile had a Keybase account then the extension icon would light up,” Petrov wrote Thursday, “The idea was to increase the social proof impression of profiles which are also verified on Keybase.”
The extension relies on Chrome’s native messaging API, which speaks with a process that issues commands to Keybase.
“NativeMessaging works by running a whitelisted process (kbnm, written in Go) and communicating over STDIO,” Petrov wrote Thursday, “We whitelist the extension ID and binary path when the Keybase app gets installed. Other extensions can’t connect to it unless an explicit whitelist for their extension ID also is written to disk.”
https://twitter.com/shazow/status/867752923811524609
Petrov says support for other browsers “will come once things settle down a bit.” Until then can use open source code for the extension, made available on GitHub earlier this month, to experiment porting it to non-Chrome browsers.
Crypto experts, like Filippo Valsorda, who works on Cloudflare’s cryptography team, lauded the extension Wednesday.
Huh, @KeybaseIO basically built the encrypted DM Twitter never did. https://t.co/huxn937qsQ
— Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) May 24, 2017
Currently direct messages on Twitter aren’t end-to-end encrypted. Jack Dorsey, the company’s CEO told NSA whistleblower Edward Snowden in a Q&A in December it would consider implementing a function.
reasonable and something we'll think about
— jack (@jack) December 14, 2016
Facebook rolled out end-to-end encryption for its Messenger service in July 2016 with a feature called Secret Conversations but it’s not on by default. On the mobile app users have to click the recipients’ name and click “Secret Conversation” in order for communications to be encrypted from one device to the other. The feature isn’t available via Facebook’s standalone website.
Keybase’s extension – assuming users are on the service – helps do away with the need to know a recipient’s personal information in order to communicate with them. Apps such as Signal and WhatsApp encrypt communications but in most instances a user still needs the recipient’s phone number or email address in order for those apps to find the right user.