SKS Keyserver Network Under Attack

Robert J. Hansen rjh at sixdemonbag.org
Sun Jun 30 16:33:15 CEST 2019 

> Your third point is actually why I suggested this. Maybe I'm just
> twisted, but what if some dickhead goes after certs that would break
> stuff for millions of people? One might, for example, block Linux kernel
> maintenance and development. Maybe just before using some 0-day.

For whatever it's worth, as soon as I heard word there were poisoned
certificates in the strong set I spoke to a friend who's well-connected
in the kernel community and made sure to pass on the warning and the
mitigation.

I am not worried about the kernel hackers being hit.  They're
technically savvy, close-knit, and largely self-sufficient technologically.

I'm very worried about people who lack technical skills (for many
people, just editing a config file is beyond them), who are in loose
contact with the GnuPG/keyserver community (people who might check in
once a year to see if there's any major updates), who are dependent on
others for their communications ("I don't know how this works, my IT
department sets it up for me").

Those people are -very- vulnerable to this.  They're going to get hit hard.

> It would stop when certs can no longer be poisoned.

Please show me how we can prevent certs from being poisoned.  This is a
phenomenally hard problem.  You are handwaving away a huge amount of
difficulty.

What you are saying here is, "it would never end."

> I don't see that as "doing the bad guys’ work for them". I see it as
> preventing bad guys escalating from hurting a few people to doing
> serious damage. That's not "punishing the victim".

"Look, this one guy who just got mugged?  Clearly the street gang
doesn't like him.  So if we just, you know, don't help him, then the
gang won't also go after us.  We're not 'punishing the victim'.  We're
just saying, the needs of the many outweigh the needs of the few.  I
mean, it's too bad, what's happening to him.  And it's too bad the gang
is making us turn our backs and walk away.

I bet that once we're a block away we're not going to be able to hear
him screaming.

Come on, let's walk faster."

More information about the Gnupg-users mailing list