V.T. Eric Layton Posted June 29, 2019 Share Posted June 29, 2019 SKS Keyserver Network Under Attack In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned. Click the link above to read more of this interesting and VERY important statement. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 29, 2019 Share Posted June 29, 2019 It's a mess for sure: At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately. The github post put that part in bold under the Mitigations section. 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted June 30, 2019 Author Share Posted June 30, 2019 Fortunately for me, the vast majority of keys/certs that I store on my system are for online friends and other places. I'm fairly confident in their authenticity. 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted June 30, 2019 Author Share Posted June 30, 2019 And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 30, 2019 Share Posted June 30, 2019 And yes, I definitely agree with you that this is serious and also a d@mned shame that it was allowed to come to this. Sometimes, we don't realize it, but the Internet that we know and love today is a HUGE patchwork quilt of languages, apps, code, servers, operating systems, protocols, etc. When you sit a think about it a bit, you realized that it's fairly amazing that it works as well as it does. Indeed 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.