[tor-project] PSA: flood attack against OpenPGP certificates underway
pastly at torproject.org
Mon Jul 22 12:54:40 UTC 2019
On 7/2/19 18:31, Arthur D. Edelstein wrote:
> Hi Everyone,
> Someone pointed me to the following post by Robert J Hansen:
> Below that post, there are a couple of comments indicating that at
> least two of Tor's signing keys listed in
> have been poisoned by this attack, including the Tor Browser
> Developers key and Tor Project Archive key. We're wondering if all of
> the keys on that page have been affected. (I haven't had a chance to
> learn about this attack or how to check other keys, but I wanted to
> share this ASAP.)
In case it's helpful, I've cleaned the Tor Browser signing key of the
poison signatures and put it up here for the time being.
People are attempting to download the poisoned key and experiencing
issues. The instructions on Tor's website that they are following
still tells people to use the key server pool with poisoned keys. These
should probably be updated ASAP.
Let's please do something about this.
PS I figured out my GnuPG issues and how to fix them following these
More information about the tor-project