[tor-project] PSA: flood attack against OpenPGP certificates underway

Matt Traudt pastly at torproject.org
Mon Jul 22 12:54:40 UTC 2019

On 7/2/19 18:31, Arthur D. Edelstein wrote:
> Hi Everyone,
> Someone pointed me to the following post by Robert J Hansen:
> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> Below that post, there are a couple of comments indicating that at
> least two of Tor's signing keys listed in
> https://2019.www.torproject.org/docs/signing-keys.html.en
> have been poisoned by this attack, including the Tor Browser
> Developers key and Tor Project Archive key. We're wondering if all of
> the keys on that page have been affected. (I haven't had a chance to
> learn about this attack or how to check other keys, but I wanted to
> share this ASAP.)
> Thanks,
> Arthur

In case it's helpful, I've cleaned the Tor Browser signing key of the
poison signatures and put it up here[0] for the time being.

People[1] are attempting to download the poisoned key and experiencing
issues. The instructions[2] on Tor's website that they are following
still tells people to use the key server pool with poisoned keys. These
should probably be updated ASAP.

Let's please do something about this.


PS I figured out my GnuPG issues and how to fix them following these[3]

[0]: https://demos.traudt.xyz/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.asc
[1]: https://redd.it/cgbza2
[2]: https://2019.www.torproject.org/docs/verifying-signatures.html.en

More information about the tor-project mailing list