Which keyserver
Robert J. Hansen
rjh at sixdemonbag.org
Sat Sep 19 13:42:06 CEST 2020
> It is true the attacks were what brought it down, but the amount of effort was not a "sustained
> attack" by any measure. The invested resources are somewhere around "couple hours and $0.00".
I'm not sure that's true.
The keyserver poisoning attack was demonstrated first by EFF's Micah
Lee. When he published his findings, he also published the Python
scripts necessary to execute the attack.
I don't know who the poisoner was. However, if I were to do the
poisoning attack I certainly would've begun by downloading Micah's code
and adapting it to the task. And for that reason I think it's entirely
reasonable to believe the keyserver poisoning attack was bootstrapped by
an EFF-funded research project which inappropriately released attack tools.
More information about the Gnupg-users
mailing list