WingNews logo WingNews GitHub [2]
top | item 23103386

Ask HN: Keybase Alternatives?

726 points| capableweb | 5 years ago

Since Keybase is being acquired by Zoom (see https://news.ycombinator.com/item?id=23102430), it would be lazy to not start looking at alternatives already

I myself mostly use the following features from Keybase: Chat, KBFS, Git repositories and encrypting messages sent out-of-band via PGP in Keybase (and the various cryptographic tools [signing, validation etc])

What alternatives have the features outlined above, but are ideally either FOSS or at least not run by a for-profit company? I mainly used Keybase to make using those features easier, so please don't suggest the cli of gnupgp (or similar) as alternatives.

228 comments

order
[+] lucideer|5 years ago|reply
> I myself mostly use the following features from Keybase: Chat, KBFS, Git repositories and encrypting messages sent out-of-band via PGP in Keybase (and the various cryptographic tools [signing, validation etc])

While all these features are individually nice, I kinda started to worry about Keybase as a product when they started bolting on stuff like this.

I think the key (pun intended) to stable & ongoing success in this space is to focus on doing one thing well. Keybase was incepted as a service for signing & validation. There's currently https://keys.pub for that. I'd be interested to hear if there's others.

For chat, there's a lot of competitors to choose from. I like Riot.im.

For KBFS, Tresorit has been mentioned. I signed up, but haven't been super impressed with their clients yet. I'm not sure what better options are out there.

[+] SkyMarshal|5 years ago|reply
I think the only complete alternative is to successfully persuade the Keybase team to release their server code under an open source license. Their client is already open source.

https://github.com/keybase

The only other alternative is a mishmash of multiple apps that each do part of what Keybase does.

[+] jamieweb|5 years ago|reply
I'm not seeing much mention in this thread of the cryptographically-linked identities feature of Keybase, i.e. where you can link your Website, Twitter, Reddit, HN, etc.

As far as I know, that was Keybase's initial offering, which they then built on top of to create a full suite of applications.

Although to play the Devil's advocate - while the feature is cool and implemented nicely, I doubt that many people actually use it beyond the novelty factor.

[+] samatman|5 years ago|reply
I've had one person use it to find me after a conference, confirm my various online identities (he only had one handle to work with), and contact me securely.

That leadededededed to paying work, so it was important even if it only happened one time.

[+] sylvain_kerkour|5 years ago|reply
Hi, I'm developing Bloom[0] which is an entirely FOSS encrypted[1] and offline-first (but with multi-devices sync!) productivity app which features Files, contacts, calendar and notes. So no chat nor Git, but everything else :)

If you are interested in joining the (coming soon) beta, feel free to contact me: https://bloom.sh/contact

[0] https://gitlab.com/bloom42/bloom

[1] https://gitlab.com/bloom42/bloom/-/wikis/security

[+] alexriabtsev|5 years ago|reply
am I right that it's Google apps FOSS alternatives?
[+] hexandcube|5 years ago|reply
Nice, my only problem with it is that it's centralized.
[+] sunaurus|5 years ago|reply
As a heavy Keybase user, this looks promising. Is the lack of chat a permanent decision, or is it just something that's planned for later?
[+] rasengan|5 years ago|reply
Handshake [1] is a great keybase alternative that doesn’t even rely on centralization. All information is verifiable with the blockchain acting as the root of trust.

[1] https://handshake.org

[+] SkyMarshal|5 years ago|reply
I thought Handshake was decentralized DNS server. Keybase is primarily a secure chat app. Does Handshake have chat, chat room, and team chat functionality too?
[+] troquerre|5 years ago|reply
I think Keybase pivoted to add more features besides the web of trust functionality. That said I think there's definitely potential in using Handshake as an identity solution. ie If I own my username on Handshake I can point github.username to my github, twitter.username to twitter, etc. It's pretty easy to do with redirects
[+] nikolay|5 years ago|reply
Sorry, can't use that - it uses Node v10.
[+] spladug|5 years ago|reply
If you just want to share your public key safely, a .well-known directory on your domain works these days: https://wiki.gnupg.org/WKD
[+] Arkanosis|5 years ago|reply
Just a quick note on WKD since I've been bitten by this a few days ago: as soon as you set it up, some people will start using your keys automatically, without even knowing it (eg. it seems that ProtonMail automatically uses keys found on a WKD to encrypt outgoing mails). While in itself it's not a bad idea, you'd better prepare for this to avoid looking stupid like me, when you receive a casual encrypted mail and you're not able to read it (my private keys are air-gapped and until now I only expected to receive PGP-encrypted mail if it was worth the effort to read it offline).
[+] carapace|5 years ago|reply
Ah that's awesome! I've never heard of that before. Thank you!
[+] dethos|5 years ago|reply
Thanks, this is really useful. I just used Keybase as a reliable location to store and share my public keys.
[+] nanomonkey|5 years ago|reply
Scuttlebutt is an open source p2p gossip network (no central servers) that includes clients that implement chat, blogging, git and github replacements, Shamir's Secret sharing (splitting up a secret by encrypting it so that a number of your friends are needed to decrypt, via Dark Crystal [https://darkcrystal.pw/]), games and probably more that I am forgetting. You could easily place your public keys in your user profile.
[+] efreak|5 years ago|reply
I tried looking up Dark Crystal, but the link doesn't work and neither does search results. Do you have any more into?
[+] freewizard|5 years ago|reply
I'm expecting Matrix/Riot has some of those like chat, and will develop some more.

And there'll be definitely alternatives, which is the beauty of FOSS.

[+] atonse|5 years ago|reply
I am also curious here. I have used and advocated strongly for Keybase with a couple of local government clients to send sensitive files back and forth (not sensitive in the sense of national security, but more to preserve privacy and store encrypted at rest).

But I want to get ahead of the concern that Keybase is now owned by a Chinese company, which instantly compromises it.

PGP is dead on arrival, since it's an overcomplicated mess.

Keybase felt like WireGuard for its use case, just dead simple and also secure.

Update: I just want to clarify that I am happy for the Keybase team. This is clearly an Aquihire meant to bolster Zoom's security talent. And as a Zoom user, I'm generally happy about this development. But there will definitely be a concern about them being acquired by a Chinese company.

Update #2: I thought about FooBarWidget and others' comments, and I'm going to alter my wording. Zoom isn't a Chinese company, but their development team has been entirely based in China all this time and there have been concerns about that (which are entirely legitimate for certain groups like governments, in my opinion), especially given their communications aren't e2e encrypted.

[+] FooBarWidget|5 years ago|reply
Zoom is not a Chinese company. The founder merely was born in China. He is US citizen.

I am very put off by this anti-China rhetoric. Everything that even has a remote connection to China is now under suspicion. This is madness.

[+] rasengan|5 years ago|reply
> Keybase felt like WireGuard for its use case, just dead simple and also secure.

WireGuard, however, is "decentralized" because you can run it yourself whereas Keybase was always a centralized service where you always had to trust someone else instead of yourself or a public blockchain!

That being said, congratulations to the keybase team! :-)

[+] perillamint|5 years ago|reply
It is not important Zoom is a Chinese company or not. The problem is, Zoom can't be trusted at all because of their behavior.

They showed us they don't think security seriously at all through their actions. For example, they opened up lots of holes(local HTTP server to bypass app open dialogue, local privilege escalation via their webcam/mic hack) on the user's system to provide "better" UX. They just cannot be trusted.

[+] Kinnard|5 years ago|reply
Were you unaware that the founder of Zoom is an American or are you implying that the company is Chinese despite that?
[+] upofadown|5 years ago|reply
>PGP is dead on arrival, since it's an overcomplicated mess.

Er what? The complaint about PGP is that it is too simple. Users have to know too much about how public key cryptography works. The suggested alternatives are much more complex.

[+] cybdnb|5 years ago|reply
Thanks keybase for the free 100$ worth of lumens. You'll be remembered fondly.
[+] lucb1e|5 years ago|reply
Good point, I should move those out. I'll have to ask if a friend can convert the Lumens to Bitcoin so it can be donated to sci-hub.
[+] 3JPLW|5 years ago|reply
What have you done with your lumens?
[+] astrostl|5 years ago|reply
I totally forgot about that. Turns out I have 6000 lumens. Thanks!
[+] divbzero|5 years ago|reply
The Keybase acquisition is a reminder of the potential fragility of using centralized services (root servers, GitHub, CAs) to support decentralized tools (DNS, Git, TLS).

> ideally either FOSS or at least not run by a for-profit company

I agree with these aims, but ideally I’d hope for the alternatives to be decentralized as well.

[+] frellus|5 years ago|reply
Why not Mattermost (https://mattermost.com/)? If the key feature of keybase was encrypted chat, seems like Mattermost solves the problem.

Or Signal?

[+] mawalu|5 years ago|reply
Why would mattermost solve that?
[+] SamWhited|5 years ago|reply
For e2e encrypted chat there's https://conversations.im. I've been using it for a while since it lets me bring my own domain and have been very happy. The Android client supports encryption with PGP keys and OMEMO (a double ratchet like Signal uses with some nice key trust options added on top to make it easy for novices, but configurable by experts).
[+] m4lvin|5 years ago|reply
A few days ago Conversations also learned how to make audio and video calls :-)
[+] karanganesan|5 years ago|reply
Signal App - Completely open source

https://signal.org/en/

[+] expialidocious|5 years ago|reply
Does signal still require me to share a phone number?
[+] nske|5 years ago|reply
I used Signal for more than a year. Unfortunately compared to Keybase's chat, it is buggy, slow and lackluster in functionality.
[+] mvanbaak|5 years ago|reply
Chat: Pick one of the many available. telegram, signal, wickr etc etc

KBFS: personally I switched to gpg encrypting important files on a NAS with encrypted backups to amazon glacier and backblaze.

Git: gitlab, github, bitbucket (just to name a few)

Encrypted messages out-of-band: Just use plain pgp/gpg

[+] tonyarkles|5 years ago|reply
> Git: gitlab, github, bitbucket (just to name a few)

None of those hide the contents of your repo from the company that's hosting it. I suppose self-hosted Gitlab hides it the same way that Keybase does (the company's software sees your repo, but it's not stored in plaintext on their disks)

[+] seemslegit|5 years ago|reply
telegram is not a secure chat app any more than skype or fb messenger are, there is some per-conversaion opt-in 'secure chat' feature with unknown guarantees that is not even available on the desktop client.
[+] FunnyLookinHat|5 years ago|reply
The big feature for me is easy and secure backup of things like dotfiles (and it not being secured ONLY by a password). I may just combine gpg and a private S3 bucket now along with some simple bash tooling.
[+] mk4p|5 years ago|reply
Exactly how I'd been using it - keeping my dotfiles in a git repo that's not at GitHub.
[+] CalmStorm|5 years ago|reply
I have been working on this decentralized key-value database: https://github.com/kevacoin-project/kevacoin Together with W3C's draft Decentralized Identifiers (DID: https://www.w3.org/TR/did-core/), it could provide a decentralized alternative.

Not sure what is the best way to verify Twitter/Github account though. This has to be managed by users themselves. E.g. one user posts a proof in the Twitter account, the other user verifies the proof by checking the proof against the public key posted in the database.