Cyph - A potential Keybase alternative

[Deozaan]

In response to the news that Keybase was acquired by Zoom, I got an unsolicited email from a Keybase competitor called Cyph which I'd never heard of before. It seems they're looking through public PGP keys on Keybase and sending emails to the associated email address letting people know that they're somewhat of an alternative to Keybase.

The unsolicited nature of the communication is a little off-putting, but they say they haven't added me to any mailing list and will not contact me again if I ignore their email. But I figured I'd at least check out their blog post they linked to in the email and see what they were all about.

Here's a quote of and link to the blog post, which seems to contain most of the same information in the email I received, plus a little more:

One of our major competitors, Keybase, was acquired by Zoom last month.

Many Keybase users are now looking for alternatives as a result, primarily due to a lack of trust in the new ownership to maintain high privacy standards, as well as speculation that the service is now doomed to ultimately be shut down. However, no single solution has so far stood out from the crowd; instead, users are faced with the prospect of setting up a hodgepodge of independent solutions.

Keybase is great, but a full alternative is clearly needed. That’s why we’ve spent the past month building new features to make Cyph more of a direct replacement.

Cyph’s features and general architecture are similar in many ways to Keybase, plus/minus a few features:

• On the plus side, our features include voice/video calling (with group support), Bitcoin, and social networking (like Twitter, but all posts are signed + optionally encrypted for a subset of your contacts).
• On the minus side, Keybase offers some awesome niche features (like encrypted git repos) that we currently do not.
• And now, with our latest release, we’ve built out a set of PGP key management and utility features to make Cyph more immediately useful for users coming from Keybase.

Additionally, the architecture of Cyph yields some significant broader advantages:

• Full web support
• Whereas Keybase splits up its features between the web UI, the CLI, GPG, and the native apps, thanks to WebSign Cyph is able to provide a consistent experience across all platforms. The full functionality is available regardless of whether you use https://cyph.app or the desktop and mobile apps, with no need to worry about degraded security on the web.
• Automatic strong public key authentication for all users
• No need to verify keys or usernames out of band, meet up in person to compare fingerprints or “Safety Numbers”, etc.
• Quantum-resistant cryptography
• Post-quantum encryption, key exchange, and signing algorithms are used throughout the application (in combination with classical crypto such as elliptic curves). Whereas others are still planning long-term migrations to post-quantum crypto, Cyph was built with it in mind from the start, meaning that your private data is theoretically protected from future QC attacks today.

We encourage you to submit a response to our poll to vote on the missing features you’d like us to add. And if you’re a Keybase user, just include your username and email address to skip the line and get a free invite to the Cyph beta!

-https://www.cyph.com/blog/cyph-pgp

I also noticed that they're offering a "special offer for Keybase users: $100 Lifetime Platinum upgrade! (Usually $48/mo.) Adds 1 TB storage, BTC wallet, and more."

I'm not necessarily recommending Cyph since I have no real experience with them, but I it's worth looking into and I will be creating an account to see for myself how it works.

[Deozaan]

I just discovered they also have an encrypted "burner" chat. No account required and it allows you to send messages, files*, or even have video/voice chat. Kinda cool.

Just go to https://cyph.im/ to get a link and share the link with whomever you want to chat with. Then, when your chat partner loads the link, it will start an encrypted session and you're good to go. But it doesn't appear to support chats with more than 2 people.



*up to 512 MB on desktop, 20 MB on mobile

[wraith808]

It's still not open source, so vulnerable to the same fate.  I use encrypted git repos, and the fact that they refer to them as niche, means that they aren't likely to support them in the future.  I'm still taking a wait and see approach.

[Dormouse]

the fact that they refer to them as niche, means that they aren't likely to support them in the future. 

-wraith808 (July 23, 2020, 08:17 AM)

Marketing speak. Major new feature if they add it.

But don't they claim to be open source?

Cyph is an open source cryptographically secure messaging and social networking service

[Deozaan]

Cyph’s source code is 100% public. Our openly accessible GitHub repository includes all client and server code, with the layer that handles releasing Cyph as a native app available here.

[...]

Portions of Cyph are fully open source under permissive licenses such as BSD and MIT. That being said, the full Cyph application doesn’t comply with the OSI’s Open Source Definition. In addition to the patents, our source code is licensed under Ms-RSL, which is effectively a read-only license; this means that third parties can’t fork and modify our code or deploy their own instances of Cyph without our permission. We believe that this is a fair compromise to allow us to develop Cyph as a commercially viable startup without ignoring a necessary aspect of its security.

-https://www.cyph.com/blog/open-source

[wraith808]

I stand corrected.

[40hz]

Just out of curiosity...how do they know for sure it'll be immune from cracking by the emerging quantum computing technology? Last I heard, even the mathematicians and cryptography experts (who actually have the requisite credentials and backgrounds to express such an opinion) have been extremely reluctant to say that about any existing or theoretical encryption method that's public information.

Consensus seems to be that once we start seeing more quantum cores out there, the more the concept of encryption will become a thing of the past.

[Deozaan]

I know very little about the subject, but I've seen the term "quantum resistant" used sometimes when describing various cryptography algorithms. There's got to be something that can be done to prevent quantum computing from easily cracking certain forms of cryptography. Otherwise the entire cryptocurrency world will be going bottoms-up fast!

[wraith808]

Did you sign up Deo?  What do you think this far in?

[Deozaan]

Just out of curiosity...how do they know for sure it'll be immune from cracking by the emerging quantum computing technology? Last I heard, even the mathematicians and cryptography experts (who actually have the requisite credentials and backgrounds to express such an opinion) have been extremely reluctant to say that about any existing or theoretical encryption method that's public information.

Consensus seems to be that once we start seeing more quantum cores out there, the more the concept of encryption will become a thing of the past.

-40hz (September 29, 2020, 09:57 PM)

I just checked out their homepage and they've got a link about how they use quantum resistant cryptography. They explicitly say they don't claim to be quantum-proof. Here's their explanation:

https://www.cyph.com...g/quantum-resistance

Did you sign up Deo?  What do you think this far in?

-wraith808 (September 30, 2020, 07:55 AM)

I signed up and played around with it for a little while before realizing that it doesn't have (m)any of the features I use Keybase for, such as identification verification and key management. The file storage is only 512MB, which, to be fair, is more than I'm really using even on Keybase (I think I threw a few large (multi-GB) files on Keybase as backups, but haven't touched them in years and they're probably outdated to the point of uselessness now), but Keybase seems to be more user-friendly in how you can access those files, such as mounting a virtual/network drive. And the other features Cyph has are social features, and I don't know anyone else who uses Cyph so it's not like I can test them.

To be fair to Cyph, Keybase is also fairly niche and I don't really use it that often, either. But Keybase feels a lot more mature as far as development, features, and user-friendliness go, and seems more immediately useful to me than what Cyph has to offer.

Keybase is something that I really like the idea of, but have found little practical use for in the real world. Even so, I'm still using it (occasionally) years later and (re)installing it on new devices or after an OS wipe on my PC. Cyph is something I looked into and played with for an hour or two and then promptly forgot about.

Also, I'm pretty sure I signed up for the Cyph waiting list because the email invite I got to my Keybase account was to a secondary account I don't use very often, and I wanted to sign up with my primary account. But I've never heard back about that, so I guess I'm still in waiting list limbo or something.