figbert.com-gemini

2020-07-03-how-to-replace-keybase-in-three-easy-steps.gmi (6817B)

---

 # How to Replace Keybase in 3 Easy Steps
 
 Ever since Keybase was acquired by Zoom, a company with a very bad history with security/privacy, people wanted an alternative. There have been a few different alternatives proposed: this is (the best) mine.
 
 First, a catalog of very bad links from Keybase's new owners:
 
 => https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 An 0day in the macOS client!
 => https://theintercept.com/2020/03/31/zoom-meeting-encryption/ Saying they use e2e when they don't!
 => https://twitter.com/c1truz_/status/1244737672930824193 Using installing tricks from your local malware dealers!
 => https://protonmail.com/blog/zoom-privacy-issues/ Protonmail has arrived to shit on them too!
 => https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html Shutting down people who talk about Tianamen Square!
 => https://twitter.com/nicoagrant/status/1268020841054269440 Not encrypting free calls so they can snitch to the cops!
 => https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/ Rolling their own crypto!
 => https://twitter.com/DanAmodio/status/1245329512889487361 Remember the installer from earlier? Now it has ACE!
 => https://twitter.com/Ouren/status/1241398181205889024 Monitoring all the apps you have open!
 
 ## What is Keybase?
 
 Before we talk about replacing Keybase, we should have a good idea of what Keybase actually is. It's main features are as follows (ordered as on the website):
 
 => https://keybase.io/ Keybase
 
 * E2EE chats and messaging (people and teams).
 * Cryptographic identity verification from around the net.
 * KBFS (Public signed file hosting, private E2EE file storage w/ sharing, Static site hosting??)
 * Git repositories? Crypto? An alternative to PGP called saltpack?
 
 ## Previous Attempts to Replace Keybase
 
 I'm not the first person to try this, obviously. Some brave folks have tried to build Keybase alternatives, such as keys.pub and the brand-new Keyoxide. I've tried both, but found that though they both are good in their own right, they are not the solutions that I am looking for.
 
 => https://keys.pub/ keys.pub
 => https://keyoxide.org/ Keyoxide
 
 ## OK Time for the Steps
 
 ### Step #1: Chat/Messaging
 
 There are a few great pre-existing options for encrypted messaging: Signal, ProtonMail if you want to go full email, Telegram, and WhatsApp. However, they all have their problems (though I use the first two on a daily basis). Signal requires a phone number, and is more of an iMessage/text replacement than a Slack-style chat app. Protonmail is literally not chat – it's email. Telegram is (debatably) not secure. If you use WhatsApp for security you might be crazy – I only use it because it's *the way* to communicate with people in the Middle East and Africa.
 
 Instead, I would recommend you use Matrix. Matrix is an "open network for secure, decentralized communication," and it's the perfect replacement for Keybase's chat. It utilizes E2E encrypted messaging, and can be self-hosted as well.
 
 => https://matrix.org/ Matrix
 
 In addition to a Matrix server, you also need a client. For this, I recommend Element – though Nio, once stable, will almost surely be my go-to. Element is a beautiful Matrix client with a bunch of awesome features, including Slack-like integrations, and apps for pretty much every major platform (Linux, MacOS, Windows, iOS, Android, and a web client). Plus it looks a lot like Discord.
 
 => https://element.io Element
 => https://nio.chat Nio
 
 ### Step #2: Identity verification
 
 Replacing Keybase's original function is probably the most difficult part of this tutorial: cryptographically verified identity proofs is a great and innovative idea. I would swap this out with an IndieWeb profile – one part of the larger microformats HTML structure. There are some pretty great tutorials out there, so I won't go into too much detail about exactly how to do that. However, it's important to note that though some tutorials recommend hiding your h-card with the display: none; property: don't do that. It's a documented anti-pattern. I just merged my about and contact pages onto my homepage, and added the microformats classes to my existing markup.
 
 => https://indieweb.org/ The IndieWeb homepage
 => http://microformats.org/ microformats homepage
 => https://kevq.uk/how-to-create-an-indieweb-profile/ An Indieweb profile tutorial by Kev Quirk
 => https://randomgeekery.org/post/2020/04/indieweb-h-cards/ Another Indieweb tutorial by Brian Wisti
 => https://indieweb.org/antipatterns#invisible_metadata Invisible metadata antipattern
 
 
 ### Step #3: File Storage
 
 Replacing KBFS is easy to do, but hard to get right. Swapping to Google Drive is probably the move that most people would make, but that abandons the entire security/encryption aspect of Keybase. There's also Dropbox, but that has the same problems as above. ProtonDrive has potential, but it's not production ready. Enter Syncthing. Nikita Tonsky wrote one of my favorite posts of all time about Syncthing – go read it. One reason Syncthing is so great is that it's not the same thing as KBFS or any of the other "Drive" solutions. Instead of being a file hosting system, it's a "continuous file synchronization program" - aka p2p. You have no data limits other than your storage and no third-party to worry about. Plus, sharing folders is also incredibly easy. Just read the article.
 
 => https://syncthing.net/ Syncthing
 => https://tonsky.me/blog/syncthing/ Nikita Tonsky amazing article
 
 ### Bonus Step #4: Video Calling
 
 It would be a shame to talk about text chat, or really any form of communication, in this new pandemic age without talking about video chat. After all, the whole reason I'm writing this article is because the new videocalling giant Zoom. So, how have I replaced Zoom and how does that relate to replacing Keybase? Well, Matrix happens to have a fantastic Jitsi Meet integration. Plus, the folks over at Jitsi are working on E2E encryption for their calls. I've integrated Jitsi Meet into my self-hosted instance of Matrix, and now all my videocalls are just that – mine!
 
 ## Summary
 
 * Swapped chat to Matrix and Riot.
 * Swapped identity verification to Indieweb.
 * Swapped file storage/sync to Syncthing.
 * Added videocalling to chat program via Jitsi.
 
 ## Conclusion
 
 Keybase is a great service, and the people who work there should be really proud of what they've built. However, given Zoom's aquisition of the company, the stability and security of the product have been called into question. So, ever one to hop on a hype train, I jumped ship.