[tor-project] PSA: flood attack against OpenPGP certificates underway
teor at riseup.net
Tue Jul 2 17:34:12 UTC 2019
> On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein at gmail.com> wrote:
> Someone pointed me to the following post by Robert J Hansen:
> Below that post, there are a couple of comments indicating that at
> least two of Tor's signing keys listed in
> have been poisoned by this attack, including the Tor Browser
> Developers key and Tor Project Archive key. We're wondering if all of
> the keys on that page have been affected. (I haven't had a chance to
> learn about this attack or how to check other keys, but I wanted to
> share this ASAP.)
Here's how you can mitigate the attack in your local GPG config:
Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
Here's how you can check your keyring for broken keys:
(You'll also need to do a sort -n and look for keys with a large number of
signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-project