New keyserver at keys.openpgp.org - what's your take?

David david at gbenet.com
Tue Jul 2 12:18:33 CEST 2019


On 02/07/2019 03:44, Mirimir via Gnupg-users wrote:
> On 07/01/2019 07:29 AM, David wrote:
> 
> <SNIP>
> 
>> My take on all this is that I have had to disable Enigmail because it's
>> screwed - I was not able to send mail and all the settings in enigmail
>> were lots of ???????????? so I have been infected :(
>>
>> David
> 
> Damn. But all is likely not lost.
> 
> If you can open Enigmail Preferences, go to the Keyserver tab, and
> specify only keys.openpgp.org as the keyserver. That way, if you manage
> to fix gpg, Enigmail won't break it again. Also see "100% CPU usage
> endles loop of gpg --list-keys" <https://dev.gnupg.org/T3972> for
> background.
> 
> About hardening and fixing gpg, see
> <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f> at
> Mitigations and Repairs. Also see
> <https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>.
> 
> You'll very likely need to use gpg in terminal. I suspect that GPA may
> be just as wedged as Enigmail.
> 
> Maybe someone could post a step-by-step guide for fixing gpg. For people
> who don't commonly use it in terminal. I suppose that I could import one
> of the poisoned keys in a fresh VM, and explore how to fix it. But I'm
> sure that someone reading this could just dash it out.
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

My "fix" was simple - I already have a linux laptop - saved all my keys
and my secret key on a usb stick. Whilst reading the thread - I changed
all the key servers from sks - but then I got screwed as sks key servers
refreshed my keys! WTF!!! Having installed everything to the new laptop
I just copied the folder onto my or this working laptop and all is fine.
But as key servers share data - (???) maybe the infected keys will
circulate???

My public key has only one confirmed signing - it had two - but really I
am not that tempted to download from any key server. Not all here attach
their public key - and do not upload to a key server - and well no one
will ever upload to a key server again!!!!!!! Ha!

Every key server is at risk. It has been done once - and can be done
again - there is some very sophisticated malware out there. This is a
great shock and a wake up call to tighten security - on all key servers
- and to have a standardised platform - that takes money and developers.

I'm still in shock and very very wary!!!

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x5C6EE7FBAAD8C47D.asc
Type: application/pgp-keys
Size: 5036 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190702/83329254/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190702/83329254/attachment-0001.sig>


More information about the Gnupg-users mailing list