PGP public key exchanging process is susceptible to MitM. Although built-in features exist to verify the authenticity of keys, but usability of PGP has always been a pain. Keybase offers a solution by providing key validation over social network profiles.
8. “[…] the researchers got
ten pairs of participants
to try to install and use
Mailvelope.
One pair managed to get as far as trying to share
their public keys, but didn't really know what to do
with them.”
http://www.theregister.co.uk/2015/11/02/email_crypto_is_as_usable_as_it_ever_was_say_boffins/
9. […] Zimmermann said he couldn’t decrypt
the [PGP encrypted] original message
because he didn’t “have a version of PGP
that runs on any of my devices.”
http://motherboard.vice.com/read/even-the-inventor-of-pgp-doesnt-use-pgp
Alice sends Bob her public key. Bob receives it and starts encrypting messages meant for Alice.
Alice sends her PGP key but Mallory intercepts it on the way to Bob. Mallory replaces the public key with his own and forwards it to Bob.
Bob thinks he has Alice’s key and encrypts messages meant for Alice with Mallory’s key. Mallory can decrypt the messages with his own private key.
Who may want to swap your keys:
Intelligence agencies targeting terrorists, whistleblowers, journalists, human rights activists, business competitors (USA, UK, North Korea, Saudi Arabia)
Cyber criminals => Scammers utilizing phishing techniques
Where the keys can be replaced:
Compromised Device (malware, backdoor)
Insecure networks: legal interception, public wifi
So how we can verify the partner’s PGP public key?
PGP keyservers (no GUI)
Key signing parties
Even the creator of PGP does not use PGP
Keybase attempts to solve the key exchange and verification problem
Does not solve all issues with PGP
Verifies identity through social media, provides assurance that a key belongs to someone
Keybase can be effective against cyber criminals and key swap over-the-wire
Intelligence agencies have a broad range of capabilities against you
When device is compromised, you are already lost