[tor-project] PSA: flood attack against OpenPGP certificates underway

teor teor at riseup.net
Tue Jul 2 17:34:12 UTC 2019


> On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein at gmail.com> wrote:
> Someone pointed me to the following post by Robert J Hansen:
> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> Below that post, there are a couple of comments indicating that at
> least two of Tor's signing keys listed in
> https://2019.www.torproject.org/docs/signing-keys.html.en
> have been poisoned by this attack, including the Tor Browser
> Developers key and Tor Project Archive key. We're wondering if all of
> the keys on that page have been affected. (I haven't had a chance to
> learn about this attack or how to check other keys, but I wanted to
> share this ASAP.)

Here's how you can mitigate the attack in your local GPG config:
Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

Here's how you can check your keyring for broken keys:
(You'll also need to do a sort -n and look for keys with a large number of
signatures: 150,000 is the SKS limit, 100-1000 is typical.)

There doesn't seem to be any easy way to fix the SKS servers themselves.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190703/c52b212c/attachment-0001.html>

More information about the tor-project mailing list