Keybase Git gets keys, basically: Secure chat app encrypts your repos

Security blanket for the paranoid among us (OK, all of us reading this), which began as a cloud key database and has since evolved into a secure messaging and collaboration service, on Wednesday added support for encrypted Git repositories.

Git, a version control system widely used for managing source code, doesn't encrypt files stored in Git repositories.

It can, however, be used in conjunction with an encrypted communication protocol (HTTPS or SSH) and it supports cryptographic hash checking (checksums) to verify the integrity of code commits.

At the same time, Git's reliance on the SHA-1 crypto algorithm means its commit verification mechanism leaves something to be desired. Crypto researchers earlier this year demonstrated the feasibility of generating an SHA-1 collision. Using this technique, it's at least theoretically possible that a public Git repo could be altered covertly without authorization.

Linus Torvalds, who created Git, has dismissed concerns, even as he has suggested Git will eventually move to a stronger hash algorithm like SHA3-256.

Users of local Git repos and of cloud-based Git services, like BitBucket, GitLab, or GitHub, can rely on password- or SSH-based authentication to keep private repos from view. But that's not as secure as encrypting every file.

There are open source projects that can encrypt Git repos, like git-crypt. Keybase's approach, however, appears to be a bit simpler to manage.

"The real problem with Git integrity is that people aren’t signing their commits," said Chris Coyne, co-founder of, in an email to The Register. "There's a chicken-and-egg problem: No one is signing, and no one is verifying. For important public repositories, everything should be signed. Everything should be verified."

The Keybase app now includes a "Git" tab that can create encrypted Git repositories. This ensures that every transaction get cryptographically signed.

"We don't really think of Keybase Git as a replacement for public projects," said Coyne. "Keybase's Git is for private repositories. Any kind of data that you would never want leaked. If you use Keybase Git, you'll never accidentally push a secret to the cloud. And it's signed, too, in a way that bypasses the chicken and egg problem. If you're using Keybase Git, the crypto is fully enforced." ®

Other stories you might like

  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading

Biting the hand that feeds IT © 1998–2022