 
			
		
		
	
		
		
		
		
		
		
			
				 
			
		
		
	
		
		
		
		
			
				 
			
		
		
	
    
	Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem (vice.com) 88
			
		 	
				A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem. From a report: Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What's worse, there may be no way to stop them. Last week, contributors to the PGP protocol GnuPG noticed that someone was "poisoning" or "flooding" their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.
		 	
		
		
		
		
			
		
	
Re:No way to stop it! (Score:5, Interesting)
But how do you tell a legitimate signature by a legitimate key from the spam? The latter can have its signatures back-dated, with the bogus keys forming a realistic-looking network of mutual signatures.
Only way I see is discarding one-way sigs, but that leads to a bootstrap problem.
Re: (Score:3, Funny)
Pick someone who is famous and incorruptible to sign the first one. Bruce Perens, Ron Rivest, DJB, or RMS. Honestly I'd even accept a retired Bill Gates.
RMS would be a natural choice, till you realise he can't find a phone line for his 28.8k modem.
Re:No way to stop it! (Score:4)
But you don't understand...
"He would insult the Universe. That is, he would insult everybody in it. Individually, personally, one by one, and (this was the thing he really decided to grit his teeth over) in alphabetical order."
What Douglas Adams failed to forsee was that he would digitally sign each individual's certificate with every other individual's.
Re: (Score:2)
As someone who's written sig processing code, if your code can be broken by too many sigs then it's your code that has the problem, not the "sig-spamming". So this seems like a problem with GPG, not with (Open)PGP in general.
Years ago I generated a multimegabyte X.509 cert and tried importing it in (then) IE and Firefox. IE crashed, Firefox locked up for minutes at a time until I deleted the cert database and started from scratch. It's scary how vulnerable a lot of the "security" software that's supposed
Nope, doesn't work (Score:5, Informative)
This is old news by now. Of course msmash had to wait until some shitty outfit dumbed it down enough to blue-haired millennial level. Posting original sources is too hard!
Read here [github.com] why "just delete them" is a bit of a non-starter if you use keyservers a lot. (Which I don't; they aren't usable for the way I prefer to use gpg.)
This summary doesn't even manage to articulate what the actual problem is, and makes a complete hash of just what is what in OpenPGP/PGP/GnuPG. Again, thanks for nothing, msmash.
And? (Score:5, Interesting)
Then you should have done something.
Re: (Score:2)
The things causing climate change aren't opensource and can't be fixed by an opensource software advocate. Last I heard, the ability of the community to fix issues like this was one of the talking points for FLOSS. So, why hasn't someone in the FLOSS community fixed this? If no one knows the language, why hasn't someone learned it and fixed it? If it can't be fixed in it's native language, why hasn't someone reverse engineered and implemented it in a different language? Why is the FLOSS community falling d
RTFA: written in what?! by Whom?! (Score:1)
from the article and more interesting than the snippet:
"written in an obscure language created for a PhD thesis, the underlying problem component (SKS) seemingly cant be fixed - Noone in the PGP community has the knowledge to overhaul the codebase, the problem has been a long time coming"
anyone think the obscure software writer who wont update said software (nor teach anyone said obscure language)may just be the perpetrator?
sabotaging your own old junk as an exercise isnt unheard of.
Re: (Score:2)
No. My guess is that they wrote it a long time ago, and they haven't looked at it for decades. They may even be dead.
Re: (Score:1)
Dude, it was the 1990s, not the 1890s.
Re: (Score:3)
A lot of people die over 20-30 years. I don't expect to be around 30 years from now, and I doubt I'll be coding 20 years from now, as I've already noticed my ability to concentrate declining.
use SMIME with a private cert (Score:2)
as a alternative use SMIME with a private cert
"an obscure language" (Score:2)
Re: (Score:3)
not really, it's mostly not used in business nor anywhere else.
Re: (Score:1)
not really, it's mostly not used in business nor anywhere else.
Count your lucky stars, the component at fault could have been written in Cobol.
Re: (Score:2)
COBOL is still *hugely* used though, bad example. You finances travel through COBOL code even if the fronts ends often make people think its something else: bank money, accounting, insurance, medical records...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Languages used by hundreds or thousands of companies to make wares certainly quality as mainstream languages. Perl, COBOL, Java, Python, R, C++.....
OCAML isn't one of those. In fact the four examples in wikipedia of companies that did use it for notable things has 2 stale entries. It's an academic curiosity at this point in time, a mostly has-been dead language.
As a contrast, Erlang is still used in telecom networks.
Re: (Score:2)
Source post about the problem (Score:5, Informative)
Link to the source post for the issue at hand: https://gist.github.com/rjhans... [github.com]
A very salient part from the Vice article: "If you think this is bad, consider this: the SKS software was written in an obscure language by a PhD student for his thesis. And because of that", according to Hansen, “there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”
The bottom line is this is taking advantage of a feature of OpenPGP - where you can have tens of thousands of people attach a signature to yours, to attest that your certificate is really yours. Problem is, once you get a large number of these attached, GnuPG will choke if it downloads one from a keyserver.
And, as shown above, no one wants to fix the issue with the keyservers (put a limit on number of signatures that can be attached), so it must not be a very important issue to begin with (/sarc)
Solution is simple: (Score:1)
Only transmit the initial key, let people handle the chain of trust key imports themselves.
A secondary option, but it might require client changes as well: treat it like the blockchain and only download signatures x times or until you get one you can authenticate against. Really this sounds like somebody experimentating with the blockchain signing and then going 'hey I wonder if that works on keyservers too!' And as it turns out, it doesn't, becaus keyservers made assumptions about how popular a key could b
Not primarily a language problem, a SPAM problem (Score:5, Interesting)
This is really the core part: "The keyserver network is susceptible to a variety of attacks as a consequence of its write-only design. The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed filesystem which anyone can write to."
How to you take that down? You fill it up with lots and lots of junk data. Why hasn't it been done before? Probably because this is at the heart of the "web of trust" idea that never really took off. Say you have Alice, Bob and Charlie who uploads their public keys. Alice trusts Bob, so she publishes that. Charlie is looking to validate Bob and he trusts Alice, so if Alice says that's Bob it's probably Bob. And if he feels confident enough he too can publish that Charlie trusts Bob and so on. Now instead of this you have Spambot000001 trusts Bob, Spambot000002 trusts Bob, Spambot000003 trusts Bob and so on.
What could you do about that? Authentication is not an option, rate limiters and CAPTCHAs probably not. Approval from the key owner? Search by known keys, exposing your list of public keys? Update the tools so they search through 150k keys more efficiently? Move to a closed CA model? Disband the public key server system and find alternate ways? If anyone could describe what the design fix was, you'd find someone who knows Ocaml and pay them for a gig.
Just ask any 25 year old millennial (Score:1)
We should solve this using blockchain! Now where is my $10m in venture capital and a 401k?
Re: (Score:2)
The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed filesystem which anyone can write to
So is this really SPAM, or just that someone discovered they can abuse it to pass encrypted messages that just look like junk to everyone else?
Re: (Score:2)
So is this really SPAM, or just that someone discovered they can abuse it to pass encrypted messages that just look like junk to everyone else?
It wouldnt be the first time pirates "re-purposed" something on the internet. Maybe the stored keys are actually encrypted URL's and so forth...
Re:Not primarily a language problem, a SPAM proble (Score:5, Interesting)
What could you do about that?
The obvious solutions involve providing the commands on the key server to enable the clients to take care of themselves.
Remember pop3 back in the dialup days? "give me mail spool" could choke down your bandwidth for a very long time if you have a large mail spool or don't delete on download.
Along comes imap and one huge improvement was being able to request counts and sizes on folders, along with being able to request individual items as well as ranges.
If the key servers allowed a client to get a signature count, or a listing with byte sizes and date stamps, it could choose how much data to transfer in one go and how to break things apart so it doesn't have too much to work with.
If your identifier links to a key with 50k signatures, but 49.5k of them were added in the same time period, perhaps the client or user can choose to just get the oldest 500 signatures.
Perhaps that is good enough trust.
Or a listing of identifiers so your client can initially limit itself to identifiers you already know and trust, getting those signatures and keys just to verify that.
As was mentioned in the article, this would be a huge undertaking and no one running the key servers feels comfortable with such changes.
It would also need to keep full backwards compatibility, with the current key transfer protocol, quirks included.
Even after all that, clients need updated to take advantage of the new commands and protocols.
With the previous imap example, it isn't like that protocol popped up over night, a very large time period of lessons learned and experience went into it. And even at that, it isn't backwards compatible with pop, all during a time when email was considered -very- close to infrastructure level importance.
Even for someone familiar enough with the key server protocols and code base, I wouldn't envy them the task ahead, and I certainly can't blame the current maintainers for not wanting to break things.
Re: (Score:2)
Remember pop3 back in the dialup days? "give me mail spool" could choke down your bandwidth for a very long time if you have a large mail spool or don't delete on download.
POP wasn't designed to leave mail on the server. You delete on download if you're using it correctly.
Along comes imap and one huge improvement was being able to request counts and sizes on folders, along with being able to request individual items as well as ranges.
You are nearly entirely wrong [electrictoolbox.com], with the sole exception that POP doesn't let you request ranges, but only individual messages. POP3 lets you list the number of messages, and the size in bytes of each message. POP3 retrieves one message at a time. The problem with POP3 clients was never the protocol, it was always the implementation. A proper, multithreaded (or even multiprocess) implementation using POP would
Re: (Score:2)
Re: (Score:2)
I send a USB stick containing a zip file, which has a text document inside it, via the postal service, to my intended contact.
The zip file is encrypted with a passcode.
Once the recipient gets the flashdrive, they call me on my telephone, and once they have determined that it is indeed me, and I have determined that it is indeed them, I give them the passcode.
They open the zip file, and extract the text document.
The text document contains my public key. They can then decode emails I send to them.
They reform
What about Proof of Work? (Score:2)
What could you do about that? Authentication is not an option, rate limiters and CAPTCHAs probably not. Approval from the key owner? Search by known keys, exposing your list of public keys? Update the tools so they search through 150k keys more efficiently? Move to a closed CA model? Disband the public key server system and find alternate ways?
What about Proof of Work? Raise the cost of every PGP signature submission high enough and spam problem will go away.
Re: (Score:2)
What could you do about that?
You could have a web of trust specifically for protecting who is even allowed to sign other people's keys, for example, protecting your web of trust with a web of trust. But there's also just going to have to be some kind of detection of malicious activity.
This is a good thing. (Score:1)
The project has known about a devastating attack for a decade.
They have done nothing to prevent it.
We now have blockchain tech that easily prevents this sort of attack.
The attack has happened.
Let's just move on to the next generation architecture which is the blockchain.
Re: (Score:1)
Yay! Blockchain! The magical technology that is the answer, no matter what the question is.
How do we bring about world peace? Blockchain!
How do we create a decentralised currency that, by design, tracks each and every transaction? Blockchain!
How do we fix what was previously an obscure problem with PGP? Blockchain!
How do we prevent trolling on Slashdot? Blockchain!
Re:This is a good thing. (Score:4, Insightful)
How does blockchain in any way prevent this attack? Like, please draw a line for me, because I cannot see it.
Enigmail Problems? (Score:4, Interesting)
I noticed Enigmail takes 16 cores to 100% if I add a new recipient. This only started a few days ago and had to disable it for now.
GPG is complaining about invalid signature dates so maybe there's a way to tag the spam.
Re: (Score:2)
NSA (Score:2, Interesting)
Last week the administration leaks noise about going after encryption, this week this happens.
Maybe they're not connected.  ... Maybe.
May *not* affect Linux updates (Score:2)
"the hackers could make it impossible for people using Linux to download updates, which are verified via PGP"
Red Hat say their update process should continue to work
https://access.redhat.com/arti... [redhat.com]
Re: (Score:2)
It's not an issue for distributions for this reason, but it is often an issue for applications which are in a third-party repo, because many if not most of the install processes for such include adding a key from a repo. Once installed, they will update fine.
You have to ask? (Score:1)