OpenPGP keyservers under attack

by Volker Weber

In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

This attack cannot be mitigated by the SKS keyserver network in any reasonable time period. It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network.

There is a personal message in there for the person who did this. Go read the whole thing.

More >

Comments

All true, but read what @FiloSottile has to say about this. The OpenPGP keyserver network was a good idea in its time, just like open SMTP relays were in the ’80s.

Running cryptographic infrastructure that can trivially be damaged beyond repair by bad actors, in today’s environment, is about as reasonable as running an open SMTP relay because it’s convenient.

Chris Ferebee, 2019-07-01

If you ever encounter a PGP key that claims to be mine, don't trust it.

Volker Weber, 2019-07-01

Post a comment

Store next two fields in a cookie for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.

Recent comments

Armin Auth on Lenovo Thinkbook :: Review eines Nutzers at 12:04
Jan Piotrowski on Lenovo Thinkbook :: Review eines Nutzers at 11:08
Volker Weber on And the winner is ... HomePod at 09:22
Armin Roth on And the winner is ... HomePod at 09:21
Stefan Funke on ThinkPad X1 Yoga in der vierten Generation at 08:55
Jens Becker on From my inbox at 06:46
Stefan Heinz on From my inbox at 04:00
Volker Weber on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:48
Reinhard Fellner on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:39
Craig Wiseman on Gadget Reviewers vs Regular People at 14:56
Volker Weber on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:31
Patrick Bohr on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:06
Oliver Heinz on Amazon Prime Days :: Angebote nur für Prime-Kunden at 03:09
Kai Schmalenbach on Zwei Reaktionen at 15:23
Kristian Raue on Microsoft Surface Pen Stiftspitzen-Kit :: Ausprobiert at 23:10
Thomas Langel on Apple streicht alte MacBooks und senkt die Einstiegspreise :: Meine Alternative at 21:41
Dexter Ian on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 16:57
Volker Weber on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 14:01
Christoph Dierker on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 14:00
Volker Weber on Herr Lampe hat mir ein altes Bild geschickt #dontbreakthechain at 10:46
Ingo Seifert on Herr Lampe hat mir ein altes Bild geschickt #dontbreakthechain at 10:03
Volker Weber on How do you uninstall software from your Mac? at 09:34
Sascha A. Carlin on How do you uninstall software from your Mac? at 09:26
Volker Weber on ThinkPad X1 Yoga in der vierten Generation at 08:34
Stefan Funke on ThinkPad X1 Yoga in der vierten Generation at 07:16

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 12:42

visitors.gif

buy me coffee

Paypal vowe