Jump to content

SKS Keyserver Network Under Attack


V.T. Eric Layton

Recommended Posts

V.T. Eric Layton

SKS Keyserver Network Under Attack

 

 

In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

 

Click the link above to read more of this interesting and VERY important statement.

  • Like 2
Link to comment
Share on other sites

securitybreach

It's a mess for sure:

 

At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately.

 

The github post put that part in bold under the Mitigations section.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

Fortunately for me, the vast majority of keys/certs that I store on my system are for online friends and other places. I'm fairly confident in their authenticity.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does.

  • Like 2
Link to comment
Share on other sites

securitybreach

And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does.

 

Indeed :thumbsup:

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...