Keybase's response to the developer's suggestion was that technical reasons obstructed insulation through Frames. Palant offers a recommendation for fixing this issue, and that is by using an iframe. Two scenarios that make the risk obvious is having the web browser or the social network's JavaScript code compromised. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption," Palant explains. "So the first consequence is: the Keybase message you enter on Facebook is by no means private. Third-party JavaScript can read your messagesĪnd herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app Keybase injects its button into web pages, but it does not isolate itself from them. "When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension. Clicking on the button opens a chat window where users can type their message. The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Wladimir Palant, the maker of popular AdBlock Plus content filtering tool, looked at how the web extension for Keybase works and noticed that the messages it sends are exposed to third-party JavaScript code. Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography. Keybase raised a $10.8 million financing round in 2015, led by Andreessen Horowitz.The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant. He was also able to avoid airports and planes and to stay at home, focused on the technical aspects of the tie-up, which is "where I prefer to work and what I prefer to think about," Krohn said. Krohn said not having to fly across the country for a meeting allowed the deal to close about 25% faster. In a blog post on Monday, Yuan said that in his effort to meet the company's 90-day plan for improvements, "We are working hard, engaging top experts to help us, and not wasting any time."Īs for hashing out the acquisition, Yuan said it worked well over Zoom and that "I feel like this could be the standard," though he acknowledged that in this case they had "no choice." The announced deal comes after Zoom added more rudimentary security features, like defaulting to the waiting room option so the meeting host can control who joins, and forcing people who join manually to enter a password. The Keybase service will be part of Zoom's paid offering, not the free service. "Teaming up with Zoom really gives us an amazing opportunity to apply all our technology and all our expertise at a scale that's much larger." "These are subtle problems and we've been working on this problem for roughly five years, and nothing else," said Krohn. Yuan said after he talked with Krohn and dug into Keybase's software, he was convinced this was the right deal. In early April, Yuan hired former Facebook security chief Alex Stamos as a consultant to help the company beef up its efforts after apologizing to users for falling "short of the community's - and our own - privacy and security expectations." Within days, Stamos was on the phone with Keybase co-founder Max Krohn, and the teams started working toward a deal. Zoom has acknowledged that it was unprepared for the sudden spike in usage, which has surged thirtyfold since the end of December as millions of office workers were forced to comply with lockdown orders. Yuan has made security his primary focus over the past month, after Zoom was hammered by critics for allowing "zoombombings" from unwelcome guests, allegedly misleading investors about its level of encryption, and revelations that its app shares personal data with Facebook. Yuan said it's critical that users know that the encryption key is not on Zoom's servers, so the company has no access to the contents of the call. That setting will prevent anyone from calling in by phone, which is one way people can access meetings, and will disable cloud-based recording of the chat. When Keybase is implemented, the Zoom user who schedules a meeting will be able to choose end-to-end encryption. Zoom CEO Eric Yuan told CNBC the company needed a solution for users who are demanding the highest level of privacy and certainty that uninvited participants have no access to their conversations. The acquisition of the 25-person start-up is the latest move in a 90-day plan that Zoom announced on April 1 to fix its security flaws.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |