Mastodon and Keybase

https://keybase.io/blog/keybase-proofs-for-mastodon-and-everyone

mastodon + keybase = true love 4eva

April 15, 2019

Today we’re announcing that Keybase has a new, open proof protocol, and we’ve kicked it off with the Mastodon Fediverse. Already, 31 communities are live (mastodon.social, witches.live, aus.social, etc.), with many more in the coming days.

Previously, Keybase only supported the mega-behemoths: Twitter, Facebook, Reddit, Github, and HackerNews. This new protocol change isn’t just for Mastodon; we’re ripping Keybase wide open, so any community can cryptographically connect profiles to Keybase.

Everyone from a small phpBB forum to a big site such as Etsy, GitLab, or StackOverflow is welcome to do this easy integration.

First, what is Mastodon?

Mastodon is a microblogging social network. It’s like Twitter, except anyone can administer an “instance,” on a domain of their choice, letting in whatever members they want.

If you’re on an instance called cereal.eaters and I’m on an instance called milk-providers.org, we can follow each other and see each other’s “toots” across the network. Censorship rules are up to the instances. This is federation at its finest.

It’s pretty slick, and it honors the original spirit of the Internet.

Keybase Proofs

Keybase is a secure (as in cryptography) app for groups, communities, families, and friends. At its core is identity. Keybase is a catalog of connected identities and keys. For example, here’s my friend tammy :

tammy camp keybase

I know her as @tammycamp on Twitter, and Keybase teaches me she’s also u/hodl_strong on Reddit. Further, Keybase lets me have an encrypted chat with her, or add her to a group I’m building. I can feel safe I’m talking to the right person.

My Keybase app actually checks that she posted a signed tweet on Twitter.

An example of our old way of doing things

Let’s walk through one. In our scenario, Keybase user haraldbluetooth wants to prove he is @toothyharald on Twitter.

After typing his Twitter handle into the Keybase app, Harald goes through these screens:

proof flow

Problems with the old way

Pretty quick and easy, right?

Still, we think this flow is choppy. Harald’s Keybase app can tell him exactly what to tweet, but once he’s in Twitter, Keybase is just sitting around, hoping he didn’t change anything before posting.

Problems:

  • posting is brittle; Twitter may not link to a screen with the tweet pre-filled. Also Harald may edit the tweet and mess it up. Twitter will still let him post it, but it will be nonsense.
  • people can post false claims on Twitter; Keybase wouldn’t understand or honor them, but a tweet that’s a lie might confuse Twitter users.
  • every site is different; Keybase needs to understand how to look up tweets, parse them, confirm the author, distinguish usernames, etc. It would be easier if Twitter could tell Keybase apps how it works and how to look up a proof.
  • the tweets flow into history; how can someone start on Harald’s Twitter profile and know his Keybase username?

Our new protocol

Mastodon has done all this right, starting in Mastodon version 2.8. And now anyone else can, too.

Here’s what the proof flow looks like for Mastodon. When haraldbluetooth claims in Keybase that he’s allmyteeth on mastodon.social, he lands on a mastodon.social page:

proof flow

Further, His mastodon.social page shows this special row:

This, unlike a Tweet or Toot that could say anything, only shows up on his Mastodon page if it’s legit.

FINAL RESULT: if you know Harald on Mastodon, you can end up with his keys! Or if you know him on Keybase or elsewhere, Keybase teaches you about his Mastodon identity. All cryptographically verifiable.

For programmers…a neat bonus

You can send encrypted messages from the command line, using these proofs.


keybase chat send haraldbluetooth "Ensam är stark!"
keybase chat send allmyteeth@mastodon.social "Ensam är stark!"

Or, using the Keybase chat API

echo '{"method": "send", "params": {"options": {"channel": {"name": "allmyteeth@mastodon.social"}, "message": {"body": "Ensam är stark!"}}}}' | keybase chat api

Your Keybase app will verify all the crypto, and the chat will appear:

viking tribute

What the Mastodon project had to do

It wasn’t a large project. They had to create or update a couple JSON endpoints, a config file, and an extra screen to handle this proof connection. Any site can do it.

Keybase profiles – in both the app and website – now link to Mastodon.

That’s it. If your team builds a site or app with members, go for it. If you use an app or website you’d like to see connected to Keybase, you can send them this page.

Having fun!

💖 Keybase


FAQ

I’m on a team that’s interested. How do we get our project connected to Keybase?

Here’s our integration guide. It’s still a bit rough around the edges, but it should only take a day or two of programming to get your side done.

I run an Mastodon instance. Am I already added?

Perhaps. If not, reach out to xgess.

I REALLY want the admins of Site X to integrate with Keybase.

Get ON them!

What are your hopes and dreams?

We would love to connect Keybase to any forum and messageboard software, GitLab, NPM, Ruby Gems, other code publishers, and even LinkedIn.

Over the years, people have asked us for various integrations in this ticket. If you know anyone on any of those teams, it’s now in their hands…we’ll be standing by to help out.

I think you should do this slightly differently.

Please let us know. We can expand and improve this.

Why Mastodon first?

Because our users requested it in force. And because we feel like there are shared values here. And because they were willing, helpful partners (thanks @gargron).

Like a Mastodon instance, we reserve the right to work with whichever partners we prefer. We specifically will avoid at least these sites:

  • sites which encourage or are known for illegal activity
  • sites which primarily link to advertisements
  • sites which feel tiny and spammy. We don’t want 10,000 partners with 5 members each; if you run, say, a family or apartment website, you don’t need to do this integration. Just prove ownership of the domain in the old Keybase way, putting your family’s proofs in yoursite.com/keybase.txt

What’s next?

We’re toying with an idea of auto-creating teams based on these integrations. If you run sitex.org, then your connected users could also automatically end up in teamx on Keybase, in channels of your choice, for encrypted chat and file sharing. If you run a larger community or site and are interested in talking about this feature, reach out to chris on Keybase. We could prioritize it.

What else?

Some big visual design changes in ~2 weeks.

DOWNLOAD KEYBASE ALREADY!

Leave a Reply

Your email address will not be published. Required fields are marked *

Next Post

Breach at IT Outsourcing Giant Wipro

Mon Apr 15 , 2019
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

You May Like