Hi,
Since the Tor project uses OpenPGP and GnuPG extensively in its operations, I figured it was important to let the community know of an ongoing attack against the keyserver infrastructure and GnuPG. The longer story is available on dkg's blog here:
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
... but a summary is that at least two prominent OpenPGP users have seen their public key flooded with thousands of signatures, to the point where their keys are now completely unusable.
I recommend you consider taking the following immediate actions, either:
1. in the short term, disable automated key refreshes on your keyring (either through Parcimonie or manual scripts calling `gpg --refresh` in some other way), or;
2. switch to the new keys.openpgp.org keyserver, by setting the following in your `gpg.conf`:
keyserver hkps://keys.openpgp.org/
The first action should only be used in the short term, to allow you to evaluate your options. It might mitigate the problem (unless you somehow allow the nasty keys to enter your keyring some other way), but it will mean you will not be aware of the precious revocation certificates users post when their key is compromised, so it's not an acceptable solution in any way.
The second action has been tested as mitigating the problem, but has several downsides as well:
a. it does not store UIDs unless they are verified and asked for explicitly (workaround: keys can be shipped in-band with Autocrypt or found through other mechanisms like WKD, Web Key Discovery)
b. it does not store UID signatures at all, which will impact the web of trust (workaround: same as point a, and you should send signed keys by email anyways to verify ownership of the UID, using tools like caff, pius, gnome-keysign or monkeysign)
c. GnuPG cannot read refresh keys from keys.openpgp.org (workaround: use the custom patch shipped in Debian experimental, see Debian bug #930665)
d. it does not currently receive updates from the SKS pool (workaround: upload key updates to keys.openpgp.org directly as well as the SKS pool)
Note that keys.openpgp.org has been seeded with the global SKS keyserver datastore, so it contains all the keys you would expect to be present on the latter, except they are sanitized to avoid this problem.
I encourage users to:
1. upload their keys to the keys.openpgp.org keyserver
2. either switch to keys.openpgp.org by default or carefully review their key fetching configuration to make sure it is not vulnerable to this attack
3. review dkg's article and make sure your own keys are not affected by this problem
If you have fetched an hostile key and GnuPG has become unusable, you can recover by deleting the key with:
gpg --delete-key C4BC2DDB38CCE96485EBE9C2F20691179038E5C6
Note that this may take anywhere from 20 minutes to an hour.
And then fetch dkg's key via WKD:
gpg --locate-keys dkg@fifthhorseman.net
or his website, https://dkg.fifthhorseman.net/dkg-openpgp.key.
The other known key affected by this problem is Robert J, Hansen's key, with the fingerprint "CC11BE7CBBED77B120F37B011DCBDC01B44427C7".
As far as I know, torproject.org infrastructure has not been affected in any way by this attack. We carefully monitor keys we allow in our keyring which should be sufficient to mitigate this attack.
A.
PS: to check if your key is affected *without* importing it into your keyring, you can use the following command:
FINGERPRINT=0x8DC901CE64146C048AD50FBB792152527B75921E # for example mine KEYSERVER="http://pool.sks-keyservers.net/" URL="$KEYSERVER/pks/lookup?op=get&search=$FINGERPRINT&options=mr&fingerprint=on&exact=on" curl -sSL "$URL"| gpg --list-packets | grep -c '^:signature packet:'
This counts the number of signatures on your key. A reasonable number is less or around a thousand. dkg's key has now around 55 000 signatures on his key, which (naturally) causes some trouble in all OpenPGP implementations.
Short update: I was just told that a similar problem has actually occurred with TPO infrastructure, back in February:
https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html
The affected key, at that time, was the deb.torproject.org signing key, which was signed by a key with a large UID. It's a different attack, but that can be mitigated in similar ways. The good key is still available here:
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88...
... where signatures are also provided so that you do not have to use the key from the keyservers. The key is also available on keys.openpgp.org.
A.
Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
On Fri, Jun 28, 2019 at 12:44 PM Antoine Beaupré anarcat@torproject.org wrote:
Short update: I was just told that a similar problem has actually occurred with TPO infrastructure, back in February:
https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html
The affected key, at that time, was the deb.torproject.org signing key, which was signed by a key with a large UID. It's a different attack, but that can be mitigated in similar ways. The good key is still available here:
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88...
... where signatures are also provided so that you do not have to use the key from the keyservers. The key is also available on keys.openpgp.org.
A.
Antoine Beaupré torproject.org system administration _______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
Hi,
On 3 Jul 2019, at 02:31, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation...
Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
T
Hi,
On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
Hi,
On 3 Jul 2019, at 02:31, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation...
Just to add that you can also use keys.openpgp.org Onion Service[1]. In dirmngr.conf add these lines:
use-tor keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
And because this *new* keyserver isn't synced with SKS pool, people will need to submit their keys, for example:
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
After submitting your key, you will need to verify by email.
I think Tor Browser Developers key should also be available in keys.openpgp.org.
cheers, Gus
[1] https://keys.openpgp.org/about/faq#tor
Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
T
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
gus:
Hi,
On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
Hi,
On 3 Jul 2019, at 02:31, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation...
Just to add that you can also use keys.openpgp.org Onion Service[1]. In dirmngr.conf add these lines:
use-tor keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
And because this *new* keyserver isn't synced with SKS pool, people will need to submit their keys, for example:
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
After submitting your key, you will need to verify by email.
I think Tor Browser Developers key should also be available in keys.openpgp.org.
I don't think this will work as torbrowser@torproject.org is not a functioning email address right now.
Georg
cheers, Gus
[1] https://keys.openpgp.org/about/faq#tor
Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
T
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
On 7/2/19 18:31, Arthur D. Edelstein wrote:
Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
In case it's helpful, I've cleaned the Tor Browser signing key of the poison signatures and put it up here[0] for the time being.
People[1] are attempting to download the poisoned key and experiencing issues. The instructions[2] on Tor's website that they are following still tells people to use the key server pool with poisoned keys. These should probably be updated ASAP.
Let's please do something about this.
Matt
PS I figured out my GnuPG issues and how to fix them following these[3] instructions.
[0]: https://demos.traudt.xyz/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.asc [1]: https://redd.it/cgbza2 [2]: https://2019.www.torproject.org/docs/verifying-signatures.html.en [3]: https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certific...
On 2019-07-22 14:54:40, Matt Traudt wrote:
On 7/2/19 18:31, Arthur D. Edelstein wrote:
Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
In case it's helpful, I've cleaned the Tor Browser signing key of the poison signatures and put it up here[0] for the time being.
People[1] are attempting to download the poisoned key and experiencing issues. The instructions[2] on Tor's website that they are following still tells people to use the key server pool with poisoned keys. These should probably be updated ASAP.
Let's please do something about this.
A few things...
We are now aware of the poisoned key and have remediated the problem, the details being in Trac ticket #31168:
https://trac.torproject.org/projects/tor/ticket/31168
weasel deployed WKD, a standard way discover keys outside of the normal keyserver infrastructure. We have also added the TBB signing key to WKD so that keys can be discovered there. The documentation on the support website has been updated accordingly:
https://support.torproject.org/tbb/how-to-verify-signature/
For users not having access to a WKD implementation, you can just fetch the key at the following URL as well:
https://openpgpkey.torproject.org/.well-known/openpgpkey/hu/kounek7zrdx745qy...
The 2019.torproject.org website is archived and will not be changed. Hopefully it will drop out of existence progressively as we remove all links to it. We're also considering un-indexing it from search engines, see #31225 for this:
https://trac.torproject.org/projects/tor/ticket/31225
I hope that covers it. If anyone finds more instances of bad instructions on the website (refering to keyservers instead of WKD), please do let us know.
A.
One more and hopefully last update on this front...
I collected people's comments from this thread and everything I know about the topic in a new blog post here:
https://anarc.at/blog/2019-07-30-pgp-flooding-attacks/
I hope that about covers it all. Feedback on the topic is of course appreciated, either here or as comments on the blog.
Have a nice day!
tor-project@lists.torproject.org
-
Antoine Beaupré -
Arthur D. Edelstein -
Georg Koppen -
gus -
Matt Traudt -
teor