OpenPGP Keyserver Attack Ongoing

Trailrunner7 quotes’s Decipher blog: There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with whom they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another…

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures — one has nearly 150,000 — in an apparent effort to render them useless. The attack targeted [OpenPGP project developers] Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too…

Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure. “PGP is old and kind of falling apart. There’s not enough people maintaining it and it’s full of legacy code. There are some people doing the lord’s work in keeping it up, but it’s not enough,” Green said. “Think about like an old hospital that’s crumbling and all of the doctors have left but there’s still some people keeping the emergency room open and helping patients. At some point you have to ask whether it’s better just to let it close and let something better come along.

“I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem.”

On Thursday ZDNet quoted a disturbing blog post from OpenPGP project developer Robert “rjh Hansen, who warned that “given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.”

Share on Google+

View source

Codice amico Very Mobile Diagonal Media Digital Marketing