The PGP (SKS) net server network is under attack, and it seems pretty damn bad.
Conversation
Read the post obviously. But the TL;DR is that someone is spamming the keys of certain GnuPG contributors with huge numbers of extra signature attestations, and GnuPG can’t deal with it.
5
35
74
The problem seems basically unfixable, and oh god, of course the reason involves unmaintained academic code written in OCaml.
11
47
161
This Tweet was deleted by the Tweet author. Learn more
It's a demonstration of flaws in the GPG implementation too. I've been complaining about the awful usability for ages and stopped using it for email in the past couple years, but I didn't realize that a keyring could be so trivially bricked by a maliciously crafted public key.
That's not fixed by avoiding the SKS keyservers. If someone sends me a public key, I can't import it unless I trust them not to use trivial vulnerabilities to brick my keyring. I've complained about it having too much attack surface, but didn't realize how easy it was to exploit.
1
This has changed my attitude towards it. I was previously willing to reluctantly deal with GPG encrypted emails by opening up a dedicated mail client for it. I'm no longer willing to do that, since I'm not going to make a separate sandbox for each person that I want to deal with.
1
1
Show replies
This Tweet was deleted by the Tweet author. Learn more
I need to figure out a solution for signing Git history to drop GPG completely. I could clone the Git repository and put that into a signed archive... and that would have far less attack surface since the signature could be verified before having Git deal with all the objects.
1
Show replies