Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

OpenPGP Keyserver Attack Ongoing (duo.com) 67

Trailrunner7 quotes Duo.com's Decipher blog: There's an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn't exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that's used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with whom they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another...

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures -- one has nearly 150,000 -- in an apparent effort to render them useless. The attack targeted [OpenPGP project developers] Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too...

Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.

"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.

"I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem."


On Thursday ZDNet quoted a disturbing blog post from OpenPGP project developer Robert "rjh Hansen, who warned that "given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned."
This discussion has been archived. No new comments can be posted.

OpenPGP Keyserver Attack Ongoing

Comments Filter:
  • this story was on the front page about two days ago...

  • Wtf (Score:5, Insightful)

    by Anonymous Coward on Saturday July 06, 2019 @12:00PM (#58882492)

    "PGP is preventing the development of better stuff"

    Right after he says barely enough people working on it?

    Bullshit, PGP is not stopping anyone from doing anything. Let's not equate 1) people thinking that it's good enough for what they need, with 2) someone actually standing in their way, or threatening them with jail time or lawsuits for trying to do what they need to do

    PGP has some issues, but this whole DDOS exploit thing can be remedied by deleting the spam signatures at the servers. The sky is not falling here. Maybe add a captcha into the submission process and then consider better alternatives. It's just another API getting abused by assholes.

    • chill out. what they mean is that since PGP is "good enough" and many people use it, there has been little motivation of someone else making something different. it may or may not be true, who knows. but i think it's definitely the time for a new project to come up.

  • by Anonymous Coward on Saturday July 06, 2019 @12:00PM (#58882496)

    I'm sure this is naive somehow, but why can't they just limit the number of signers for trust verification to the most trusted (say) few hundred keys?

    If I'm trying to figure out whether to trust a key, am I really going to get any additional info from the 30,000th key that signed it when that key is brand new?

    Why not just keep the best ones? Doesn't this attack have an easy mitigation?

    • Probably it's not so easy, otherwise it would surely have been done. For one, it seems the SKS keyservers' code (which is what's broken, not 'PGP') is virtually unmaintained at this point in time. And then, for all I know, a concerted effort would be needed to upgrade all SKS keyservers at once, which would need their respective maintainers to be reachable and able to do that. As far as I can see, nothing like that will be happening; possibly the SKS servers will even need to be shut down. But keys.openpgp.

    • by lkcl ( 517947 )

      Why not just keep the best ones? Doesn't this attack have an easy mitigation?

      How do you "know" what is "best"? In effect we have a slashdot moderation problem, as applied to a distributed cyclic graph that has absolutely no delete facility, by design (similar to blockchain, except blockchains are acyclic).

      Twenty years ago Raph Levien designed the advogato trust meyric system, to help solve these issues, and a few years later the keynote protocol was designed (it's an IETF RFC 2704).

      The problem with all these systems - keynote, advogato, slashdot moderation and meta moderation, is s

    • by Sloppy ( 14984 )

      If I'm trying to figure out whether to trust a key, am I really going to get any additional info from the 30,000th key that signed it when that key is brand new?

      Maybe, if you didn't know the first 29999 signers but the 30000th did happen to be the one that you know.

      The only downside of having lots of signatures is probably just going to be some ancient code running out of memory due to a naive assumption. If that's the case, the bug would be fixable.

      Why not just keep the best ones?

      The power of OpenPGP whic

    • It's worth at least skimming the posting by one of the GnuPG guys [github.com] that clearly describes the actual problem, rather than trying to infer it from the muddled slashdot summary.
  • by demon driver ( 1046738 ) on Saturday July 06, 2019 @01:08PM (#58882730) Journal

    The SKS keyservers are the problem, not PGP per se.

    Looks like PGP can stay functional and safe by using keys.openpgp.org instead. Of couse, this is a fresh start, and only after many people have migrated it will really start to serve as a public PGP key directory.

    See keys.openpgp.org [openpgp.org].

    It requires an uploaded key's e-mail address to be verified for the key to become searchable and sends a verification request to that e-mail address.

    The concept of a 'web of trust' through people signing each others keys, which now is broken, is dropped for good.

    Seems to be the only sensible way to keep PGP functional at this point in time.

    Clients need changes to become keys.openpgp.org compatible, but important ones (like Thunderbird's Enigmail) are already in the process of doing that and of setting keys.openpgp.org as the default keyserver in one of the next versions.

    GnuPG works with keys.openpgp.org as it is but cannot process the verification.

    • by Kjella ( 173770 )

      The concept of a 'web of trust' through people signing each others keys, which now is broken, is dropped for good.

      Technically it's not broken, just that public key servers are flood-able. They could simply make it opt-in the same way, the owner of the address must send a confirmation email for each signature to become publicly searchable. That way Alice's key can be signed by Bob, Charlie, Dave and Spambot 1-100 but Alice may only care to show Bob and Dave. After all the point is to establish trust for Alice, she should decide what endorsements have any value. Plus she can keep out signatures that pretend to be known f

  • The FreePBX Code Signing Key was effectively destroyed at the end of last year by filling it full of crap.

    Discussion (and the "Oh well, nothing can be done" response) is in this thread:

    https://lists.nongnu.org/archi... [nongnu.org]

On a clear disk you can seek forever. -- P. Denning

Working...