OpenPGP Keyserver Attack Ongoing

Trailrunner7 quotes Duo.com's Decipher blog: There's an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn't exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that's used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with whom they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another...

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures -- one has nearly 150,000 -- in an apparent effort to render them useless. The attack targeted [OpenPGP project developers] Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too...

Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.

"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.

"I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem."

On Thursday ZDNet quoted a disturbing blog post from OpenPGP project developer Robert "rjh Hansen, who warned that "given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned."

Re:

[Anonymous Coward]

Literally. I can't overstate how seriously bad it is.

That "worst technology ever" kept messaging secure for a long damn time. Tell me again how it's so bad compared to the end-to-end bullshit tech coming out today that can't manage to make it more than a year or two before getting compromised, and far worse than some extra signatures on a fucking public cert.

Re:Worst technology ever

[ctilsie242]

PGP does one thing that no other tech does: It separates endpoint encryption from transport layers. Even if Signal, et. al. are secure, all it would take is pushing out a compromised update to grab keys and send them to the attacker's C&C servers. With PGP, the attacker has to both get the message, then compromise the PGP application.

By separating the encryption from transport, PGP works anywhere. I can send a PGP encrypted file to someone via E-mail, WhatsApp, Signal, Telegram, NNTP (via alt.anonymous.messages), slap it on a file share, or even physically mail media. In all those cases, if it is intercepted, who cares. Tampering would be evident by the signature, and encryption protects the content.

What is out there that even comes close? VeraCrypt volumes? Maybe, but you then have to get both sides to agree on a shared secret.

PGP has done a damn fine job and keeping things secure. Yes, it takes some work, but a web of trust is FAR more secure than the CA "just trust us, we call ourselves trusted and have a cool padlock logo" type of BS that is found in SSL/TLS, where one compromised CA destroys the entire system.

If someone doesn't like PGP, feel free to propose changes to the OpenPGP protocol. SaltPack has some useful additions like forward secrecy and better binary to ASCII encoding. Yes, PGP is old and creaky, but it does the job and has stood the test of time.

Re:Worst technology ever

[Waffle Iron]

Congratulations. You are one of the .01% of the population who's studied PGP long enough to comprehend how to use its "web of trust", and who regularly communicates with someone else who has done the same thing.

For the rest of us, it's pretty useless. CAs may suck, but everybody can use them at least as a client without having to know anything at all about computer science.

Re: Worst technology ever

[Zero__Kelvin]

You don't grasp the simplicity of PGP. The web of trust isn't necessary. It's just a little extra salt. If someone with whom I wish to communicate securely sends me their public key I add it to my keyring and mark it trusted. It takes a few minutes to learn how to do this. We could take down all the keyservers right now and it would still be a highly useful, simple to use, and powerful technology.

Re: Worst technology ever

[Zero__Kelvin]

Each dollar is literally different, and you suck at trolling.

Re:

[Anonymous Coward]

We could take down all the keyservers right now

and this is what should happen. Keyservers are broken. They don't even check if anyone who publishes a key controls the mailbox or the domain. There's no way to say that an old key isn't yours or might be compromised or that you've lost the secret key, unless you happen to have a revocation certificate. There's no way to delete spam from a key. Public keys should be transferred out of band or via HTTPS or DNS from your email domain.
And "web of trust" is broken anyway. At key signing parties you can have any

Re: Worst technology ever

[Zero__Kelvin]

Trust me I have seen more than enough posts from you to grasp the ignorance and stupidity of people.

Re: Worst technology ever

[Zero__Kelvin]

I can send a USB Drive full of encrypted data via carrier pigeon with s/mime? Really? Do tell us all how!

Re:

[Zero__Kelvin]

Yes Brenda, we know you are an idiot. theCEO@an.idiot.ru

Re:Understanding PGP

[Waffle Iron]

You don't understand PGP? It's really easy. There are many good explanations out there. Don't give up, I'm sure you'll manage! Yes, you can!

You're right: I would understand PGP if I bothered to go study it.

But nobody I communicate with would match all three of the following requirements: 1. Need to exchange information worth protecting at that level 2. Understand PGP 3. Be willing to use PGP.

For communicating individuals, much of the stuff just doesn't matter and insecure email is acceptable. For confidential things, https internal email for work stuff; for non-work stuff, WhatsApp or posting onto a privately shared cloud drive are not unbreakable, but almost always "good enough" for me.

For more sensitive things like financial institutions and healthcare providers, they invariably host their own private messaging system via https, and there's no way they're using PGP. That leaves zero incentive for me to allocate time or brain space to learning all the arcane details of how to use PGP. I would never have an opportunity to use it.

Re:

[Anonymous Coward]

PGP does one thing that no other tech does: It separates endpoint encryption from transport layers.

What? No. That's standard for anything OSI compliant. The whole TCP/IP stack is based on principle of separation.

Re:

[vbdasc]

Bad? Worst technology ever? No. But developer attitude? Definitely not perfect, even if the development is understaffed and underpaid and basically, a volunteer work. Providing the vulnerable users with flawed software and false sense of security is at least morally objectionable when these flaws have been known for a decade and the flaws are so easily exploitable. They should have discontinued the SKS system the moment when it has become clear that it's unmaintainable and unsalvageable, years before today.

Re:

[vbdasc]

I only wanted to add that "it just worked" or "it just seemed to work" are not suitable excuses when human lives are at stake. When your users are dissidents and your adversaries are repressive regimes, then you either do your work right, or don't do it at all. Sloppiness is the worst variant.

Re: Worst technology ever

[Zero__Kelvin]

You overstated how bad it is merely by claiming it was bad at all actually.

Dupe....

[Bradmont]

this story was on the front page about two days ago...

Re:

[CaptainDork]

But it's still ongoing and additional information has come to light.

It's news for nerds, stuff that matters.

Wtf

[Anonymous Coward]

"PGP is preventing the development of better stuff"

Right after he says barely enough people working on it?

Bullshit, PGP is not stopping anyone from doing anything. Let's not equate 1) people thinking that it's good enough for what they need, with 2) someone actually standing in their way, or threatening them with jail time or lawsuits for trying to do what they need to do

PGP has some issues, but this whole DDOS exploit thing can be remedied by deleting the spam signatures at the servers. The sky is not falling here. Maybe add a captcha into the submission process and then consider better alternatives. It's just another API getting abused by assholes.

Re:

[Espectr0]

chill out. what they mean is that since PGP is "good enough" and many people use it, there has been little motivation of someone else making something different. it may or may not be true, who knows. but i think it's definitely the time for a new project to come up.

Can't they just limit how many signatures?

[Anonymous Coward]

I'm sure this is naive somehow, but why can't they just limit the number of signers for trust verification to the most trusted (say) few hundred keys?

If I'm trying to figure out whether to trust a key, am I really going to get any additional info from the 30,000th key that signed it when that key is brand new?

Why not just keep the best ones? Doesn't this attack have an easy mitigation?

Re:

[demon driver]

Probably it's not so easy, otherwise it would surely have been done. For one, it seems the SKS keyservers' code (which is what's broken, not 'PGP') is virtually unmaintained at this point in time. And then, for all I know, a concerted effort would be needed to upgrade all SKS keyservers at once, which would need their respective maintainers to be reachable and able to do that. As far as I can see, nothing like that will be happening; possibly the SKS servers will even need to be shut down. But keys.openpgp.

Re:

[lkcl]

Why not just keep the best ones? Doesn't this attack have an easy mitigation?

How do you "know" what is "best"? In effect we have a slashdot moderation problem, as applied to a distributed cyclic graph that has absolutely no delete facility, by design (similar to blockchain, except blockchains are acyclic).

Twenty years ago Raph Levien designed the advogato trust meyric system, to help solve these issues, and a few years later the keynote protocol was designed (it's an IETF RFC 2704).

The problem with all these systems - keynote, advogato, slashdot moderation and meta moderation, is s

Re:

[Sloppy]

If I'm trying to figure out whether to trust a key, am I really going to get any additional info from the 30,000th key that signed it when that key is brand new?

Maybe, if you didn't know the first 29999 signers but the 30000th did happen to be the one that you know.

The only downside of having lots of signatures is probably just going to be some ancient code running out of memory due to a naive assumption. If that's the case, the bug would be fixable.

Why not just keep the best ones?

The power of OpenPGP whic

Re:

[Lost Race]

It's worth at least skimming the posting by one of the GnuPG guys [github.com] that clearly describes the actual problem, rather than trying to infer it from the muddled slashdot summary.

Just use keys.openpgp.org, not the SKS keyservers

[demon driver]

The SKS keyservers are the problem, not PGP per se.

Looks like PGP can stay functional and safe by using keys.openpgp.org instead. Of couse, this is a fresh start, and only after many people have migrated it will really start to serve as a public PGP key directory.

See keys.openpgp.org [openpgp.org].

It requires an uploaded key's e-mail address to be verified for the key to become searchable and sends a verification request to that e-mail address.

The concept of a 'web of trust' through people signing each others keys, which now is broken, is dropped for good.

Seems to be the only sensible way to keep PGP functional at this point in time.

Clients need changes to become keys.openpgp.org compatible, but important ones (like Thunderbird's Enigmail) are already in the process of doing that and of setting keys.openpgp.org as the default keyserver in one of the next versions.

GnuPG works with keys.openpgp.org as it is but cannot process the verification.

Re:

[Kjella]

The concept of a 'web of trust' through people signing each others keys, which now is broken, is dropped for good.

Technically it's not broken, just that public key servers are flood-able. They could simply make it opt-in the same way, the owner of the address must send a confirmation email for each signature to become publicly searchable. That way Alice's key can be signed by Bob, Charlie, Dave and Spambot 1-100 but Alice may only care to show Bob and Dave. After all the point is to establish trust for Alice, she should decide what endorsements have any value. Plus she can keep out signatures that pretend to be known f

This is YET ANOTHER Attach on Keys

[Rob from RPI]

The FreePBX Code Signing Key was effectively destroyed at the end of last year by filling it full of crap.

Discussion (and the "Oh well, nothing can be done" response) is in this thread:

https://lists.nongnu.org/archi... [nongnu.org]