Linux User & Developer, Issue 149

Linux User & Developer Issue 149This month’s Linux User & Developer features my usual four pages of news from the world of openness alongside a review of some interesting software I’ve been playing with: Keybase.

Created, oddly enough, by the co-founders of dating site OkCupid, Max Krohn and Chris Coyne, Keybase is technically little more than a wrapper around the open-source Pretty Good Privacy (PGP) implementation GNU Privacy Guard (GPG). Conceptually, however, it turns the entire PGP/GPG concept on its head, and in doing so aims to make it as easy as possible for less technical types to enjoy the benefits of strong cryptography.

A quick backgrounder: PGP/GPG use public-key cryptography, which is a highly-secure method of sharing secrets. Rather than traditional encryption, which requires a secret known to both parties, public-key cryptography splits the secret in two: the public key is available to anyone, but can only be used for encryption; decryption requires the private key, kept secret. It can be best imagined as an extremely secure padlock: I can give you the padlock, but once you’ve snapped it shut only my key will open it again.

The trouble then comes from verifying that the public key you’ve encrypted to genuinely belongs to your intended recipient, and not to a third-party trying to eavesdrop on your conversation. In the PGP/GPG world, this is assured by a ‘web of trust’ in which individuals physically meet and verify the identity of others, whose public keys are then cryptographically signed. Secure, but awkward.

Keybase’s solution: automated verification powered by social networking. ‘Proofs’ are posted to various social networks, currently ranging from Twitter and Reddit to Coinbase and even the DNS records of your personal website. These proofs are cryptographically signed with your private key. When someone wants to encrypt a message to you, they can verify these proofs through the Keybase website – or, for improved security, an open-source command-line application which wraps around GPG – to confirm that the key they are using belongs to the person in control of said accounts.

Coupled with a neat web interface which allows, among other features, non-members to quickly send encrypted messages to any Keybase member, it’s a great project. While it’s currently in beta, it shows considerable promise – and given the government du jour’s focus on eroding privacy, it’s something everyone should at least consider playing with.

To read the full review, plus my ever-enlightening four-page news spread and event calendar, head to your local newsagent or supermarket, or grab a digital copy via Zinio or similar distribution services.