Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security IT

Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem (vice.com) 88

A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem. From a report: Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What's worse, there may be no way to stop them. Last week, contributors to the PGP protocol GnuPG noticed that someone was "poisoning" or "flooding" their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.
This discussion has been archived. No new comments can be posted.

Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

Comments Filter:
  • And? (Score:5, Interesting)

    by OverlordQ ( 264228 ) on Wednesday July 03, 2019 @04:51PM (#58869410) Journal

    “We've known for a decade this attack is possible. It's now here and it's devastating,”

    Then you should have done something.

  • by Anonymous Coward

    from the article and more interesting than the snippet:

    "written in an obscure language created for a PhD thesis, the underlying problem component (SKS) seemingly cant be fixed - Noone in the PGP community has the knowledge to overhaul the codebase, the problem has been a long time coming"

    anyone think the obscure software writer who wont update said software (nor teach anyone said obscure language)may just be the perpetrator?

    sabotaging your own old junk as an exercise isnt unheard of.

    • by HiThere ( 15173 )

      No. My guess is that they wrote it a long time ago, and they haven't looked at it for decades. They may even be dead.

      • by Anonymous Coward

        Dude, it was the 1990s, not the 1890s.

        • by HiThere ( 15173 )

          A lot of people die over 20-30 years. I don't expect to be around 30 years from now, and I doubt I'll be coding 20 years from now, as I've already noticed my ability to concentrate declining.

  • as a alternative use SMIME with a private cert

  • Something is really wrong when OCaml is being referred to as "an obscure language".
    • not really, it's mostly not used in business nor anywhere else.

      • by Anonymous Coward

        not really, it's mostly not used in business nor anywhere else.

        Count your lucky stars, the component at fault could have been written in Cobol.

        • COBOL is still *hugely* used though, bad example. You finances travel through COBOL code even if the fronts ends often make people think its something else: bank money, accounting, insurance, medical records...

          • Not to mention that there are a ton of COBOL programmers and COBOL tutorials available so someone could learn the language in short order and update the software.
      • That's true for most languages save for just a few of them, though. Or maybe all of them, depending on the meaning of "mostly not used in".
        • Languages used by hundreds or thousands of companies to make wares certainly quality as mainstream languages. Perl, COBOL, Java, Python, R, C++.....

          OCAML isn't one of those. In fact the four examples in wikipedia of companies that did use it for notable things has 2 stale entries. It's an academic curiosity at this point in time, a mostly has-been dead language.

          As a contrast, Erlang is still used in telecom networks.

    • If you know it, you should get busy fixing this bug in this open source software.....
  • by rufey ( 683902 ) on Wednesday July 03, 2019 @04:56PM (#58869434)

    Link to the source post for the issue at hand: https://gist.github.com/rjhans... [github.com]

    A very salient part from the Vice article: "If you think this is bad, consider this: the SKS software was written in an obscure language by a PhD student for his thesis. And because of that", according to Hansen, “there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”

    The bottom line is this is taking advantage of a feature of OpenPGP - where you can have tens of thousands of people attach a signature to yours, to attest that your certificate is really yours. Problem is, once you get a large number of these attached, GnuPG will choke if it downloads one from a keyserver.

    And, as shown above, no one wants to fix the issue with the keyservers (put a limit on number of signatures that can be attached), so it must not be a very important issue to begin with (/sarc)

    • by Anonymous Coward

      Only transmit the initial key, let people handle the chain of trust key imports themselves.

      A secondary option, but it might require client changes as well: treat it like the blockchain and only download signatures x times or until you get one you can authenticate against. Really this sounds like somebody experimentating with the blockchain signing and then going 'hey I wonder if that works on keyservers too!' And as it turns out, it doesn't, becaus keyservers made assumptions about how popular a key could b

  • by Kjella ( 173770 ) on Wednesday July 03, 2019 @05:42PM (#58869668) Homepage

    This is really the core part: "The keyserver network is susceptible to a variety of attacks as a consequence of its write-only design. The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed filesystem which anyone can write to."

    How to you take that down? You fill it up with lots and lots of junk data. Why hasn't it been done before? Probably because this is at the heart of the "web of trust" idea that never really took off. Say you have Alice, Bob and Charlie who uploads their public keys. Alice trusts Bob, so she publishes that. Charlie is looking to validate Bob and he trusts Alice, so if Alice says that's Bob it's probably Bob. And if he feels confident enough he too can publish that Charlie trusts Bob and so on. Now instead of this you have Spambot000001 trusts Bob, Spambot000002 trusts Bob, Spambot000003 trusts Bob and so on.

    What could you do about that? Authentication is not an option, rate limiters and CAPTCHAs probably not. Approval from the key owner? Search by known keys, exposing your list of public keys? Update the tools so they search through 150k keys more efficiently? Move to a closed CA model? Disband the public key server system and find alternate ways? If anyone could describe what the design fix was, you'd find someone who knows Ocaml and pay them for a gig.

    • by Anonymous Coward

      We should solve this using blockchain! Now where is my $10m in venture capital and a 401k?

    • The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed filesystem which anyone can write to

      So is this really SPAM, or just that someone discovered they can abuse it to pass encrypted messages that just look like junk to everyone else?

      • So is this really SPAM, or just that someone discovered they can abuse it to pass encrypted messages that just look like junk to everyone else?

        It wouldnt be the first time pirates "re-purposed" something on the internet. Maybe the stored keys are actually encrypted URL's and so forth...

    • by dissy ( 172727 ) on Wednesday July 03, 2019 @08:05PM (#58870232)

      What could you do about that?

      The obvious solutions involve providing the commands on the key server to enable the clients to take care of themselves.

      Remember pop3 back in the dialup days? "give me mail spool" could choke down your bandwidth for a very long time if you have a large mail spool or don't delete on download.
      Along comes imap and one huge improvement was being able to request counts and sizes on folders, along with being able to request individual items as well as ranges.

      If the key servers allowed a client to get a signature count, or a listing with byte sizes and date stamps, it could choose how much data to transfer in one go and how to break things apart so it doesn't have too much to work with.

      If your identifier links to a key with 50k signatures, but 49.5k of them were added in the same time period, perhaps the client or user can choose to just get the oldest 500 signatures.
      Perhaps that is good enough trust.

      Or a listing of identifiers so your client can initially limit itself to identifiers you already know and trust, getting those signatures and keys just to verify that.

      As was mentioned in the article, this would be a huge undertaking and no one running the key servers feels comfortable with such changes.
      It would also need to keep full backwards compatibility, with the current key transfer protocol, quirks included.
      Even after all that, clients need updated to take advantage of the new commands and protocols.

      With the previous imap example, it isn't like that protocol popped up over night, a very large time period of lessons learned and experience went into it. And even at that, it isn't backwards compatible with pop, all during a time when email was considered -very- close to infrastructure level importance.

      Even for someone familiar enough with the key server protocols and code base, I wouldn't envy them the task ahead, and I certainly can't blame the current maintainers for not wanting to break things.

      • Remember pop3 back in the dialup days? "give me mail spool" could choke down your bandwidth for a very long time if you have a large mail spool or don't delete on download.

        POP wasn't designed to leave mail on the server. You delete on download if you're using it correctly.

        Along comes imap and one huge improvement was being able to request counts and sizes on folders, along with being able to request individual items as well as ranges.

        You are nearly entirely wrong [electrictoolbox.com], with the sole exception that POP doesn't let you request ranges, but only individual messages. POP3 lets you list the number of messages, and the size in bytes of each message. POP3 retrieves one message at a time. The problem with POP3 clients was never the protocol, it was always the implementation. A proper, multithreaded (or even multiprocess) implementation using POP would

        • by tlhIngan ( 30335 )

          You are nearly entirely wrong, with the sole exception that POP doesn't let you request ranges, but only individual messages. POP3 lets you list the number of messages, and the size in bytes of each message. POP3 retrieves one message at a time. The problem with POP3 clients was never the protocol, it was always the implementation. A proper, multithreaded (or even multiprocess) implementation using POP would not have this drawback. I do not know if anyone did it well, but there is nothing about the protocol

    • I send a USB stick containing a zip file, which has a text document inside it, via the postal service, to my intended contact.

      The zip file is encrypted with a passcode.

      Once the recipient gets the flashdrive, they call me on my telephone, and once they have determined that it is indeed me, and I have determined that it is indeed them, I give them the passcode.

      They open the zip file, and extract the text document.

      The text document contains my public key. They can then decode emails I send to them.

      They reform

    • What could you do about that? Authentication is not an option, rate limiters and CAPTCHAs probably not. Approval from the key owner? Search by known keys, exposing your list of public keys? Update the tools so they search through 150k keys more efficiently? Move to a closed CA model? Disband the public key server system and find alternate ways?

      What about Proof of Work? Raise the cost of every PGP signature submission high enough and spam problem will go away.

    • What could you do about that?

      You could have a web of trust specifically for protecting who is even allowed to sign other people's keys, for example, protecting your web of trust with a web of trust. But there's also just going to have to be some kind of detection of malicious activity.

  • by Anonymous Coward

    The project has known about a devastating attack for a decade.

    They have done nothing to prevent it.

    We now have blockchain tech that easily prevents this sort of attack.

    The attack has happened.

    Let's just move on to the next generation architecture which is the blockchain.

    • by Anonymous Coward

      Yay! Blockchain! The magical technology that is the answer, no matter what the question is.

      How do we bring about world peace? Blockchain!

      How do we create a decentralised currency that, by design, tracks each and every transaction? Blockchain!

      How do we fix what was previously an obscure problem with PGP? Blockchain!

      How do we prevent trolling on Slashdot? Blockchain!

    • by Actually, I do RTFA ( 1058596 ) on Wednesday July 03, 2019 @08:06PM (#58870234)

      How does blockchain in any way prevent this attack? Like, please draw a line for me, because I cannot see it.

  • Enigmail Problems? (Score:4, Interesting)

    by bill_mcgonigle ( 4333 ) * on Wednesday July 03, 2019 @06:40PM (#58869914) Homepage Journal

    I noticed Enigmail takes 16 cores to 100% if I add a new recipient. This only started a few days ago and had to disable it for now.

    GPG is complaining about invalid signature dates so maybe there's a way to tag the spam.

    • ..and then they use valid timestamps... and your now required test for invalid ones consumes even more processing power, but accomplishes nothing.
  • NSA (Score:2, Interesting)

    by Anonymous Coward

    Last week the administration leaks noise about going after encryption, this week this happens.

    Maybe they're not connected. ... Maybe.

  • "the hackers could make it impossible for people using Linux to download updates, which are verified via PGP"

    Red Hat say their update process should continue to work

    https://access.redhat.com/arti... [redhat.com]

  • There is this three-lettered agency whose relationship with the US government makes destruction of personal privacy its most important product. Either that, or the Israelis.

Programmers do it bit by bit.

Working...