The PGP (SKS) net server network is under attack, and it seems pretty damn bad.
Conversation
Read the post obviously. But the TL;DR is that someone is spamming the keys of certain GnuPG contributors with huge numbers of extra signature attestations, and GnuPG can’t deal with it.
5
35
74
The problem seems basically unfixable, and oh god, of course the reason involves unmaintained academic code written in OCaml.
11
47
161
This Tweet was deleted by the Tweet author. Learn more
It's a demonstration of flaws in the GPG implementation too. I've been complaining about the awful usability for ages and stopped using it for email in the past couple years, but I didn't realize that a keyring could be so trivially bricked by a maliciously crafted public key.
1
1
That's not fixed by avoiding the SKS keyservers. If someone sends me a public key, I can't import it unless I trust them not to use trivial vulnerabilities to brick my keyring. I've complained about it having too much attack surface, but didn't realize how easy it was to exploit.
1
This has changed my attitude towards it. I was previously willing to reluctantly deal with GPG encrypted emails by opening up a dedicated mail client for it. I'm no longer willing to do that, since I'm not going to make a separate sandbox for each person that I want to deal with.
1
1
I don't like their attitude of consistently blaming everything on users and other people. I feel that this is another case of that. I wouldn't be surprised if the attacker was a security researcher bitter about being ignored since they targeted GPG developers not everyone's keys.