
Official Keybase extension for Chrome - endetti
https://keybase.io/docs/extension
======
shazow
Hey HN, I'm the primary developer of the extension, let me know if anyone has
questions.

We've been experimenting with a bunch of different ideas and features—most of
them you can enable/disable in the extension's "options". We launched a
Reddit-focused extension last month but this release embraces all of the
social networks that we support.

I'll be writing up a blog post soon, particularly about how we use the
WebExtension NativeMessaging API to communicate securely with the Keybase
service.

~~~
lettergram
I built my own chrome extension using keybase over a year ago, which I called
AnyCrypt:

[http://lettergram.github.io/AnyCrypt/](http://lettergram.github.io/AnyCrypt/)

I use it with a few friends, it isn't super secure (in the sense I store
people's private key locally). The real issue I had was two fold:

1\. You guys really didn't want me pulling the private key from your servers.
Although it was possible, I had to decode all the work you guys did, which
sucked.

2\. It wasn't seemless, i.e. I had to do some right clicking.

The one benefit I see on my current method, is I can use any chat to
communicate. I already use signal, have encrypted emails, etc. So what do I
gain using this extension?

~~~
shazow
Hey, AnyCrypt looks cool!

Sorry to hear about your troubles reversing the key infrastructure. I'm not
involved in that part of Keybase, but if you'd like to discuss it further I
can put you in touch with the right people if you PM me.

Regarding what you're gaining with the extension: Our goal with the extension
is to improve workflows for Keybase power users, and generally make it a
little more user friendly/convenient in some scenarios.

As to what you gain from using Keybase: It's a much more sophisticated product
than Signal or encrypted emails. A core proposition is cross-verified social
proofs. You can Keybase chat with shazow@twitter and have a strong guarantee
that it's also shazow@hackernews. The way Keybase does key management and
device provisioning is very cool too. And did I mention file storage and
sharing? And more coming soon!

------
graphememes
Stopped using Keybase after installing the windows graphical interface and it
became increasingly intrusive to my daily workflow. I only login to keybase to
obtain secrets from co-workers. If you don't login to keybase, quitting the
interface on windows is extremely annoying and embedded deep in a custom right
click interface.

Then, once it has been quit, after some time it will randomly start again
asking you to sign in jarring you from whatever your current focus is on.

I've uninstalled it completely and moved on, very sad because I had high
hopes.

~~~
Nadya
I think this had only happened once to me, but I rarely sign out or close
Keybase so I wouldn't be one to experience it frequently.

Are you sure you are _quitting_ the program and not _closing_ the program?
Many programs nowadays continue to run in the background after clicking close
but do not actually quit the program, seemingly confusing the close button
with the minimize button. I think Keybase does this but I'm not home to test.

Most of the programs I'm aware of that do this terrible behavior are chat
programs (Discord, Slack, maybe Keybase, maybe Teamspeak, Skype, etc.) and on
most of these it can be disabled in the settings somewhere to _actually quit
the program_ when you close it.

~~~
graphememes
Yes, quitting the application completely, closing it just minimizes to the
taskbar context menu, from there you can right click, the custom interface
shows, click the hamburger menu, click quit. I completely quit every time for
it to randomly start afterwards.

------
gaxun
I've been trying out this extension for a few days.

What I would really like to see from this extension is a 1-click way to sign
any message I'm writing, anywhere on the internet. Along with that would be
the ability to verify that a keybase signature found in the wild belongs to a
particular keybase user. Then I can initiate out-of-band discussions with the
author of a comment on someone's blog, not just with a Reddit or Hacker News
poster.

Having the keybase chat button appear next to posts on sites like Reddit, HN,
etc. seems like a great step toward a "metaweb" platform as well. For example,
I could let someone know about the typo in their post via keybase chat, rather
than polluting the public comment stream.

Very excited.

~~~
j2kun
I second this. Rough sketch: detect a text input I'm tying in, add a little
button that says "sign and send", which when clicked adds a signature to the
message and submits. If the extension sees this on a forum, verify the sig in
the background and inject a little check mark next to the username if it
checks out.

------
perfmode
General Keybase question:

How is it possible to (1) send a message to someone before they've signed up
and (2) prevent Keybase from being able to decrypt the message? This is a
surprising capability. Didn't realize it was possible. I'm curious how.

~~~
malgorithms
From the beginning of Keybase, we considered this specific user flow very
important.

(1) if there's no one on keybase who matches your "assertion", say a certain
twitter account or HN account or whatever,

(2) the keybase app encrypts it just for yourself, but signs a message (for
yourself) declaring the assertion

(3) when someone _proves_ that assertion publicly, by joining keybase and
connecting an account, they are announcing and proving ownership of key(s),
and proving publicly they have control of that account and keys

(4) the keybase server wakes up your app and tells it to verify your assertion
is now satisfied, and

(5) your app checks the announcement by actually visiting Twitter and then, if
the crypto is good, rekeys the data - there's nothing for you to do other than
to have the app running, since the human steps were already done back when you
made the assertion by writing the message.

Depending on how loosely you use the term, this is a type of TOFU (trust on
first use): you're trusting that the assertion provider, say, Twitter, doesn't
steal an account out from underneath one of its users, or the user doesn't
lose control of her/his account. Note that this would be publicly discoverable
because all announcements are written publicly to Keybase's merkle tree.

This is just about the best imaginable key establishment we can think of
without meeting in person. It's certainly better better than, say, trusting a
key service to map a phone number to a public key. And it's safer than posting
PGP fingerprints or public keys on Twitter - in that case there's no way to
tell if everyone else is getting the same answer as you.

edit: formatting

------
pishpash
Any thoughts on Keybase's part on getting into the password management space?
Seems like the infrastructure is all there.

~~~
shazow
Before we settled on building a browser extension, my first proposal was
actually to build a password manager on top of Keybase. It's a very exciting
idea, but also the scope is pretty huge.

Right now the team is focused to get the Keybase platform to a place where
even third-party developers could build things like password managers on top
of it while getting the benefit of all of the things that make Keybase
special.

------
zokier
Personally I think more interesting would be integrating keybase based gpg
functionality to the sites themselves, like for example GPG encrypted DMs on
Twitter, or signed messages for Reddit.

------
Knight22
I love it. Is there an option or an idea to cache my friends so that the
Keybase Chat Button has another color if there is a known friend using it? :)

~~~
shazow
Not yet but I have a half-working solution. So hopefully soon!

------
SquareWheel
Gave it a try. I like deeper integration with social services, but I'm not too
excited that it's primarily just a shortcut to the app's chat feature (which I
don't really use, honestly).

I was hoping that it would let me send signed/encrypted tweets, or Gmail
messages right on the page. Is that within the scope of the project, or is
everything meant to happen from within the app?

~~~
shazow
Publishing encrypted tweets wouldn't work too well with the character limit
and all, unless I suppose we use images and OCR[0].

For things like encrypting emails inline, we could explore it but I'm not
convinced it's a good use case: To get all the benefits of Keybase (identity
verification, key/device provisioning, improved encryption over PGP), the
recipients would also need to have Keybase installed which means you could
just use Keybase Chat instead.

[0]
[https://twitter.com/shazow/status/605748307688890368](https://twitter.com/shazow/status/605748307688890368),
[https://github.com/Lukasa/entweet](https://github.com/Lukasa/entweet)

~~~
SquareWheel
Fair point on tweet length. I hadn't considered that. Do Direct Messages have
a character limit? I'm unsure.

For Gmail I think it could still make sense for those who have a Keybase
account/key, but haven't yet downloaded the app (this was me for a while).

Just as an example, I have a work contact who I am often exchanging passwords
with. We use Proton Mail for these, and Gmail for everything else. Saying "I
sent you X on proton" is a lot more cumbersome than "here's an encrypted
message", and being able to decode it inline.

We could use Keybase's webapp, but it still requires going to an external site
to encrypt/decrypt messages. So it's not a big enough draw to change our
workflow yet.

I understand the argument that Keybase Chat has more built in benefits, but
sometimes you just prefer email to live chat. It's also an easier sell to
download a Chrome extension once, than download an app and run it 24/7.

Admittedly that's just my use-case. I like to think of Keybase as easily
accessible PGP functionality, so that's where I'm most interested in seeing it
grow.

I know Google's working on the problem I described with their end-to-end
extension[1], but it's been years in development so who's to say when it'll be
ready.

Regardless, I think the product is great. Looking forward to seeing what you
guys put out in the future.

[1] [https://github.com/google/end-to-end](https://github.com/google/end-to-
end)

~~~
Zalos
Hi SquareWheel. I use Keybase as a "Here's my Public Key and I am who I say I
am". For e-mail/Gmail I use Mailvelope it's fairly easy to setup and use. I
recommend you take a look at that in regards to e-mail encryption if you don't
already have a system. You can see more here:
[https://www.mailvelope.com/en](https://www.mailvelope.com/en) And here is a
presentation of mailvelope from the excellent Hak5 team.
[https://www.youtube.com/watch?v=hDCjhKcA0IE](https://www.youtube.com/watch?v=hDCjhKcA0IE)

------
RonInDune
I love it! A minor question: is there any way to have profiles, so to speak,
so that I can switch between official and 'casual' online identities?

