PSA: flood attack against OpenPGP certificates underway
Hi, Since the Tor project uses OpenPGP and GnuPG extensively in its operations, I figured it was important to let the community know of an ongoing attack against the keyserver infrastructure and GnuPG. The longer story is available on dkg's blog here: https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html ... but a summary is that at least two prominent OpenPGP users have seen their public key flooded with thousands of signatures, to the point where their keys are now completely unusable. I recommend you consider taking the following immediate actions, either: 1. in the short term, disable automated key refreshes on your keyring (either through Parcimonie or manual scripts calling `gpg --refresh` in some other way), or; 2. switch to the new keys.openpgp.org keyserver, by setting the following in your `gpg.conf`: keyserver hkps://keys.openpgp.org/ The first action should only be used in the short term, to allow you to evaluate your options. It might mitigate the problem (unless you somehow allow the nasty keys to enter your keyring some other way), but it will mean you will not be aware of the precious revocation certificates users post when their key is compromised, so it's not an acceptable solution in any way. The second action has been tested as mitigating the problem, but has several downsides as well: a. it does not store UIDs unless they are verified and asked for explicitly (workaround: keys can be shipped in-band with Autocrypt or found through other mechanisms like WKD, Web Key Discovery) b. it does not store UID signatures at all, which will impact the web of trust (workaround: same as point a, and you should send signed keys by email anyways to verify ownership of the UID, using tools like caff, pius, gnome-keysign or monkeysign) c. GnuPG cannot read refresh keys from keys.openpgp.org (workaround: use the custom patch shipped in Debian experimental, see Debian bug #930665) d. it does not currently receive updates from the SKS pool (workaround: upload key updates to keys.openpgp.org directly as well as the SKS pool) Note that keys.openpgp.org has been seeded with the global SKS keyserver datastore, so it contains all the keys you would expect to be present on the latter, except they are sanitized to avoid this problem. I encourage users to: 1. upload their keys to the keys.openpgp.org keyserver 2. either switch to keys.openpgp.org by default or carefully review their key fetching configuration to make sure it is not vulnerable to this attack 3. review dkg's article and make sure your own keys are not affected by this problem If you have fetched an hostile key and GnuPG has become unusable, you can recover by deleting the key with: gpg --delete-key C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 Note that this may take anywhere from 20 minutes to an hour. And then fetch dkg's key via WKD: gpg --locate-keys dkg@fifthhorseman.net or his website, <https://dkg.fifthhorseman.net/dkg-openpgp.key>. The other known key affected by this problem is Robert J, Hansen's key, with the fingerprint "CC11BE7CBBED77B120F37B011DCBDC01B44427C7". As far as I know, torproject.org infrastructure has not been affected in any way by this attack. We carefully monitor keys we allow in our keyring which should be sufficient to mitigate this attack. A. PS: to check if your key is affected *without* importing it into your keyring, you can use the following command: FINGERPRINT=0x8DC901CE64146C048AD50FBB792152527B75921E # for example mine KEYSERVER="http://pool.sks-keyservers.net/" URL="$KEYSERVER/pks/lookup?op=get&search=$FINGERPRINT&options=mr&fingerprint=on&exact=on" curl -sSL "$URL"| gpg --list-packets | grep -c '^:signature packet:' This counts the number of signatures on your key. A reasonable number is less or around a thousand. dkg's key has now around 55 000 signatures on his key, which (naturally) causes some trouble in all OpenPGP implementations. -- Antoine Beaupré torproject.org system administration
Short update: I was just told that a similar problem has actually occurred with TPO infrastructure, back in February: https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html The affected key, at that time, was the deb.torproject.org signing key, which was signed by a key with a large UID. It's a different attack, but that can be mitigated in similar ways. The good key is still available here: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88... ... where signatures are also provided so that you do not have to use the key from the keyservers. The key is also available on keys.openpgp.org. A. -- Antoine Beaupré torproject.org system administration
Hi Everyone, Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.) Thanks, Arthur On Fri, Jun 28, 2019 at 12:44 PM Antoine Beaupré <anarcat@torproject.org> wrote:
Hi,
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation... Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.) There doesn't seem to be any easy way to fix the SKS servers themselves. T
Hi, On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
Just to add that you can also use keys.openpgp.org Onion Service[1]. In dirmngr.conf add these lines: use-tor keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion And because this *new* keyserver isn't synced with SKS pool, people will need to submit their keys, for example: gpg --export your_address@example.net | curl -T - https://keys.openpgp.org After submitting your key, you will need to verify by email. I think Tor Browser Developers key should also be available in keys.openpgp.org. cheers, Gus [1] https://keys.openpgp.org/about/faq#tor
On 7/2/19 18:31, Arthur D. Edelstein wrote:
In case it's helpful, I've cleaned the Tor Browser signing key of the poison signatures and put it up here[0] for the time being. People[1] are attempting to download the poisoned key and experiencing issues. The instructions[2] on Tor's website that they are following still tells people to use the key server pool with poisoned keys. These should probably be updated ASAP. Let's please do something about this. Matt PS I figured out my GnuPG issues and how to fix them following these[3] instructions. [0]: https://demos.traudt.xyz/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.asc [1]: https://redd.it/cgbza2 [2]: https://2019.www.torproject.org/docs/verifying-signatures.html.en [3]: https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certific...
On 2019-07-22 14:54:40, Matt Traudt wrote:
A few things... We are now aware of the poisoned key and have remediated the problem, the details being in Trac ticket #31168: https://trac.torproject.org/projects/tor/ticket/31168 weasel deployed WKD, a standard way discover keys outside of the normal keyserver infrastructure. We have also added the TBB signing key to WKD so that keys can be discovered there. The documentation on the support website has been updated accordingly: https://support.torproject.org/tbb/how-to-verify-signature/ For users not having access to a WKD implementation, you can just fetch the key at the following URL as well: https://openpgpkey.torproject.org/.well-known/openpgpkey/hu/kounek7zrdx745qy... The 2019.torproject.org website is archived and will not be changed. Hopefully it will drop out of existence progressively as we remove all links to it. We're also considering un-indexing it from search engines, see #31225 for this: https://trac.torproject.org/projects/tor/ticket/31225 I hope that covers it. If anyone finds more instances of bad instructions on the website (refering to keyservers instead of WKD), please do let us know. A. -- Antoine Beaupré torproject.org system administration
One more and hopefully last update on this front... I collected people's comments from this thread and everything I know about the topic in a new blog post here: https://anarc.at/blog/2019-07-30-pgp-flooding-attacks/ I hope that about covers it all. Feedback on the topic is of course appreciated, either here or as comments on the blog. Have a nice day! -- Antoine Beaupré torproject.org system administration
participants (6)
-
Antoine Beaupré -
Arthur D. Edelstein -
Georg Koppen -
gus -
Matt Traudt -
teor