![]() If the device is removed the app on that device should react by deleting all keys immediately and then deleting all encrypted files residing on it. I'd also like to propose that the keybase app periodically poll the server to see if if the device has been removed/black listed. ![]() If they manage to unlock your phone they will now have access to all your keybase chat history, which could be detrimental for people besides yourself.Ī simple PIN lock with adjustable timeout is VITAL for keybase to be a serious secure messaging tool. Or imagine you are an activist trying to stop a coal mine from being built and your phone is confiscated by police. Someone now has access to all your chat conversations and history. Imagine if you were on a busy train and your phone was snatched out of your hand just as the doors were closing. Since keybase is used on phones and laptops a PIN is absolutely needed. The PIN idea is great as most security sensitive apps include the feature. While PIN-locked, terminal keybase commands are also restricted. That's no more secure than any crap web service with 2FA, and it already has the functionality to do this.īasic PIN for all apps, and a setting to set how many minutes until it is set. I'd also like if keybase did not allow sign-ins on new devices without adding the device from another device, CAVEAT: I just don't remember if that's the case. Losing the pin means re-installing the app, and signing in per the usual for that device. Keybase desktop app (and mobile app) should be able to configure a non-synchronized pin for each device which is stored locally-only. I'd suggest, at minimum, a pin for each device as a basic security safeguard. Given the large number of services associated with keybase, it makes sense to give options to increase the friction. ![]() Without some friction, even a small amount, it's too easy. My security - conscious applications would do the same. Keybase providing zero options is irresponsible. My passwords are all master-key protected, but that's just me. Not necessarily, right? I personally don't have sign-in on chrome or firefox. Chrome saved passwords, bad password conventions, etc. Of which, if they have physical access they could basically find a way to do this regardless of any other factors. However, an app that allows password-less access to an account by default, and has no options to enable passwords, is in my mind a vulnerability by default.Īll of this is assuming someone has access to your PC. It will prompt for the password that you enter in Step 3.g. I wouldn't necessarily call this an attack vector-that and the "safeguard" is as simple as not letting anyone with possible malicious intentions use your user account.Īgreed, changed the title. To export the Private Key, enter the command below: gpg export-secret-key -a keyid > privatekeyname.key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |