Hi,
On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
Hi,
On 3 Jul 2019, at 02:31, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation...
Just to add that you can also use keys.openpgp.org Onion Service[1]. In dirmngr.conf add these lines:
use-tor keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
And because this *new* keyserver isn't synced with SKS pool, people will need to submit their keys, for example:
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
After submitting your key, you will need to verify by email.
I think Tor Browser Developers key should also be available in keys.openpgp.org.
cheers, Gus
[1] https://keys.openpgp.org/about/faq#tor
Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
T
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project