keyserver spam

Melvin Carvalho melvincarvalho at gmail.com
Tue Dec 20 16:32:23 CET 2011


On 16 December 2011 18:50, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 12/16/2011 10:51 AM, gnupg at lists.grepular.com wrote:
>> I understand that once you've uploaded something to the keyservers, it
>> can't be removed. Eg, if I sign someone elses key and upload that, it
>> will be attached to their key permanently?
>
> yes, this is correct. :(
>
>> What if someone were to generate say, 10,000 keypairs with "offensive"
>> uid names, and then sign my key with each of them, and then upload that
>> to the keyservers? Is there anything to stop that?
>
> nope.  flooding like this is currently possible. :(
>
>> Is there anything to
>> stop a spammer generating a key with their URL in the uid name and then
>> signing every key they can find and uploading that to the keyservers?
>
> nope, this is also possible. :(
>
>> Has anything like this happened before?
>
> well, there's the JBARSE key, which i vaguely recall having been created
> in a joking way to threaten character assassination, but i can't find
> any keys that it has actually signed, nor any documentation to explain
> why i have this recollection, so please take with a grain of salt.

I'm wondering if this could be as an attack vector against (say),
freedombox, if it became popular e.g.

1. Lets say FBX got a big sponsorship, could the key servers cope with
1 million, 10 million, 100 million new keys?

Granted, this is a nice problem to have! :)

2. Could a malicious or anti-freedom oriented entity use this to
disrupt the FBX network, for example by using a botnet to keep
spamming key servers, similar to email spam botnets.

CC: FBX mail list

>
>        --dkg
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



More information about the Gnupg-users mailing list