SKS Keyserver Network Under Attack

Mirimir mirimir at riseup.net
Sun Jun 30 11:21:30 CEST 2019


On 06/30/2019 01:34 AM, Andrew Gallagher wrote:
> 
>> On 30 Jun 2019, at 09:19, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>>
>> The next version of Enigmail will no longer use the SKS network by
>> default.  Great!  But what about existing Enigmail users?  They'll see a
>> signature, click "Import Key", and ... bam.  They're likely not going to
>> think that someone's performing a malicious attack by poisoning
>> certificates: they're going to think "this is crap" and walk away.
> 
> Thankfully there is a practical - if drastic - solution for all OpenPGP users everywhere. Point pool.sks-keyservers.net (and its various aliases) somewhere else. The question is where to and how soon.
> 
> A

This is undoubtedly a naive question. But anyway, would it be feasible
to test keys by importing them, and seeing which ones break OpenPGP?
Maybe do it in minimal Docker containers? And then somehow block access
to those keys?

Or is blocking just as impossible as deleting?

I know that wouldn't help people whose keys had been poisoned. But at
least it would help protect complex systems that rely on OpenPGP.

And if resource requirements would be impossible, what about focusing on
the most important keys? For key packages, say.



More information about the Gnupg-users mailing list