Jump to content
V.T. Eric Layton

SKS Keyserver Network Under Attack

Recommended Posts

SKS Keyserver Network Under Attack

 

 

In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

 

Click the link above to read more of this interesting and VERY important statement.

  • Like 2

Share this post


Link to post
Share on other sites

It's a mess for sure:

 

At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately.

 

The github post put that part in bold under the Mitigations section.

  • Like 1

Share this post


Link to post
Share on other sites

Fortunately for me, the vast majority of keys/certs that I store on my system are for online friends and other places. I'm fairly confident in their authenticity.

  • Like 1

Share this post


Link to post
Share on other sites

And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does.

  • Like 2

Share this post


Link to post
Share on other sites

And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does.

 

Indeed :thumbsup:

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...