SKS Keyserver Network Under Attack
guilhem at fripost.org
Mon Jul 1 01:23:28 CEST 2019
On Sun, 30 Jun 2019 at 22:23:11 +0000, Alyssa Ross wrote:
>> Third-party signatures from locally unknown certificates are arguably
>> not so useful, so how about using ?--keyserver-options import-clean??
>> (Or even making it the default behavior?) Of course it's not perfect as
>> it still clutters network traffic and gpg(1) needs to clean up the mess
>> client-side (which is slow and CPU expensive), but at least it mitigates
>> the DoS attack: it doesn't prevent keyring updates, and limits the bloat
>> on disk.
> Alas, this doesn't fully mitigate the issue, because it's not exactly
> difficult to get a key into somebody's keyring, especially with the
> existence of the auto-key-retrieve option.
Ah yeah, good point. At least this vastly limits the scope of the
attack: instead of affecting every keyring upon refresh/import, the
attacker needs to somewhat target which keyring they want to poison.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Gnupg-users