Daniel Micay on Twitter: "https://t.co/lFy3JDPnud GPG's entire keyring and trust model is awful, far beyond this issue. As a whole, the software is overly complex with far too much attack surface and poor usability. Even using it for something as simple as verifying a file with a specific key is arcane." / Twitter

twitter.com/mjg59/status/1 GPG's entire keyring and trust model is awful, far beyond this issue. As a whole, the software is overly complex with far too much attack surface and poor usability. Even using it for something as simple as verifying a file with a specific key is arcane.

Quote Tweet

Matthew Garrett

@mjg59

Jun 29, 2019

This (from gist.github.com/rjhansen/67ab9) is just genuinely awful. There is nothing new about this attack. It demonstrated nothing unexpected. The time to tell people to stop using infrastructure is the moment you know it's vulnerable, not after someone's taken advantage of it.

Text reading "At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately."

read image description

ALT

8:40 PM · Jun 29, 2019Twitter Web Client

Replying to

Raised that issue with SKS community a few times (bitbucket.org/skskeyserver/s, gitlab.com/yegortimoshenk), along with a few others, including trivial DoS and ability to add arbitrary information like UIDs or revocations to their web UI since none of it is cryptographically verified.

Replying to

and

Ended up getting legal threats off-list to my email address for full disclosure, nothing has been fixed year in, SKS maintainer believes that displaying users invalid data isn't a problem, since they should verify all of this on their computer anyway (!): bitbucket.org/skskeyserver/s

Show replies

Conversation