[tor-project] PSA: flood attack against OpenPGP certificates underway

Georg Koppen gk at torproject.org
Wed Jul 3 08:16:00 UTC 2019

> Hi, 
> On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
>> Hi,
>>> On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein at gmail.com> wrote:
>>> Someone pointed me to the following post by Robert J Hansen:
>>> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
>>> Below that post, there are a couple of comments indicating that at
>>> least two of Tor's signing keys listed in
>>> https://2019.www.torproject.org/docs/signing-keys.html.en
>>> have been poisoned by this attack, including the Tor Browser
>>> Developers key and Tor Project Archive key. We're wondering if all of
>>> the keys on that page have been affected. (I haven't had a chance to
>>> learn about this attack or how to check other keys, but I wanted to
>>> share this ASAP.)
>> Here's how you can mitigate the attack in your local GPG config:
>> Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
>> Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
>> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations
> Just to add that you can also use keys.openpgp.org Onion Service[1].
> In dirmngr.conf add these lines:
> use-tor 
> keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
> And because this *new* keyserver isn't synced with SKS pool, people will
> need to submit their keys, for example:
> gpg --export your_address at example.net | curl -T - https://keys.openpgp.org
> After submitting your key, you will need to verify by email.
> I think Tor Browser Developers key should also be available in keys.openpgp.org.

I don't think this will work as torbrowser at torproject.org is not a
functioning email address right now.


> cheers,
> Gus
> [1] https://keys.openpgp.org/about/faq#tor
>> Here's how you can check your keyring for broken keys:
>> https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332
>> (You'll also need to do a sort -n and look for keys with a large number of
>> signatures: 150,000 is the SKS limit, 100-1000 is typical.)
>> There doesn't seem to be any easy way to fix the SKS servers themselves.
>> T
>> _______________________________________________
>> tor-project mailing list
>> tor-project at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190703/a4b95135/attachment.sig>

More information about the tor-project mailing list