SKS Keyserver Network Under Attack

Ryan McGinnis ryan at digicana.com
Sun Jun 30 14:33:08 CEST 2019


What would have prevented a state level actor from activating this exploit on a wide level during a time when it would have been most effective for them?  I have to believe that the fine folks who can put an APT in your air-gapped computer’s video card bios have been aware of this attack for quite some time and probably have an entire laundry list of other similarly devastating attacks.

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email

On Sun, Jun 30, 2019 at 03:19, Robert J. Hansen <rjh at sixdemonbag.org> wrote:

>> How bad could this get?
>
> (I am sputteringly angry over this entire thing: please understand this
> and give a charitable read to what I write. I appreciate it.)
>
> Hard to say.
>
> One of the big problems we have is the size of the existing codebase.
> Once people have GnuPG installed people overwhelmingly like to leave it
> alone. We still get people coming onto this list asking for support
> with GnuPG *1.2*. So for these installations, these "we're going to
> install it and forget it"s?
>
> They're screwed. Sooner or later they'll import a poisoned certificate,
> GnuPG will get wedged, and it will appear as if GnuPG just stopped
> working. It might happen tomorrow or it might happen in five years. We
> don't know, but it will happen.
>
> There are other groups that run human networks in dangerous places.
> (There are many of them: Medicins Sans Frontiers, Reuters, and more.)
> The people who are running around Syria treating casualties or doing
> political news reporting from Gaza are overwhelmingly not computer
> nerds. They know they're supposed to run "gpg --refresh-keys" from time
> to time to get the latest revocations. They do it this time, and GnuPG
> breaks horribly. Odds are good they'll say "sod this, I can't trust
> this crap" and throw it away.
>
> There are a ton of tiny little poorly-maintained systems in
> out-of-the-way places that get completely overlooked until things break.
> Those, too, have good odds of getting wedged the first time they
> encounter a poisoned certificate.
>
> The next version of Enigmail will no longer use the SKS network by
> default. Great! But what about existing Enigmail users? They'll see a
> signature, click "Import Key", and ... bam. They're likely not going to
> think that someone's performing a malicious attack by poisoning
> certificates: they're going to think "this is crap" and walk away.
>
> Right now only three certificates are known to be affected: mine, dkg's,
> and Kristian's. I expect that number to rise, either due to the
> original jerk figuring this is fun, or due to copycats getting in on the
> action.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190630/fea4803a/attachment-0001.html>


More information about the Gnupg-users mailing list