[messaging] key validation rules for today

Evan Johnson evan at lastpass.com
Tue Sep 9 10:02:05 PDT 2014


This may be slightly off topic to key validation, but imho the ugliest part
of keybase is the URL paths. For example, I may have reigstered
github.com/user1 and keybase.io/user1, but an attacker may control
twitter.com/user1.

I believe many users will believe twitter.com/user1 == github.com/user1 . I
was able to do a similar attack previously and impersonate one of the
keybase founders.

E

On Tue, Sep 9, 2014 at 12:43 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Tue, Sep 9, 2014 at 9:33 AM, zaki at manian.org <zaki at manian.org> wrote:
>
>> Keybase uses tweets and Gists instead of bios because they are
>> timestamped unlike bios.
>>
>
> It also has the effect of driving you to the Keybase site to obtain
> fingerprints, as users are publishing signatures under an unknown key
> (which is weird and a bit gross)
>
> --
> Tony Arcieri
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/bcda6946/attachment.html>


More information about the Messaging mailing list