[tor-project] PSA: flood attack against OpenPGP certificates underway
gus at torproject.org
Wed Jul 3 03:09:09 UTC 2019
On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
> > On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein at gmail.com> wrote:
> > Someone pointed me to the following post by Robert J Hansen:
> > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> > Below that post, there are a couple of comments indicating that at
> > least two of Tor's signing keys listed in
> > https://2019.www.torproject.org/docs/signing-keys.html.en
> > have been poisoned by this attack, including the Tor Browser
> > Developers key and Tor Project Archive key. We're wondering if all of
> > the keys on that page have been affected. (I haven't had a chance to
> > learn about this attack or how to check other keys, but I wanted to
> > share this ASAP.)
> Here's how you can mitigate the attack in your local GPG config:
> Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
> Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
Just to add that you can also use keys.openpgp.org Onion Service.
In dirmngr.conf add these lines:
And because this *new* keyserver isn't synced with SKS pool, people will
need to submit their keys, for example:
gpg --export your_address at example.net | curl -T - https://keys.openpgp.org
After submitting your key, you will need to verify by email.
I think Tor Browser Developers key should also be available in keys.openpgp.org.
> Here's how you can check your keyring for broken keys:
> (You'll also need to do a sort -n and look for keys with a large number of
> signatures: 150,000 is the SKS limit, 100-1000 is typical.)
> There doesn't seem to be any easy way to fix the SKS servers themselves.
> tor-project mailing list
> tor-project at lists.torproject.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the tor-project