[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-project] PSA: flood attack against OpenPGP certificates underway

To: tor-project@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
From: gus <gus@xxxxxxxxxxxxxx>
Date: Tue, 2 Jul 2019 23:09:09 -0400
In-reply-to: <7E57E194-95A1-405C-8186-A6E00D6EAB7D@riseup.net>
List-id: "Moderated discussion list for tor contributors." <tor-project.lists.torproject.org>
References: <87woh5jz8b.fsf@curie.anarc.at> <87tvc9jy0d.fsf@curie.anarc.at> <CADHWJb5kB5-FqHPpBgkfHHw6uryGgdDERJgprbKKjkNa3Ba1WQ@mail.gmail.com> <7E57E194-95A1-405C-8186-A6E00D6EAB7D@riseup.net>
Reply-to: tor-project@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-project" <tor-project-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi, 

On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote:
> Hi,
> 
> > On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein@xxxxxxxxx> wrote:
> > 
> > Someone pointed me to the following post by Robert J Hansen:
> > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> > 
> > Below that post, there are a couple of comments indicating that at
> > least two of Tor's signing keys listed in
> > https://2019.www.torproject.org/docs/signing-keys.html.en
> > have been poisoned by this attack, including the Tor Browser
> > Developers key and Tor Project Archive key. We're wondering if all of
> > the keys on that page have been affected. (I haven't had a chance to
> > learn about this attack or how to check other keys, but I wanted to
> > share this ASAP.)
> 
> Here's how you can mitigate the attack in your local GPG config:
> Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
> Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations
> 

Just to add that you can also use keys.openpgp.org Onion Service[1].
In dirmngr.conf add these lines:

use-tor 
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

And because this *new* keyserver isn't synced with SKS pool, people will
need to submit their keys, for example:

gpg --export your_address@xxxxxxxxxxx | curl -T - https://keys.openpgp.org

After submitting your key, you will need to verify by email.

I think Tor Browser Developers key should also be available in keys.openpgp.org.

cheers,
Gus

[1] https://keys.openpgp.org/about/faq#tor

> Here's how you can check your keyring for broken keys:
> https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332
> (You'll also need to do a sort -n and look for keys with a large number of
> signatures: 150,000 is the SKS limit, 100-1000 is typical.)
> 
> There doesn't seem to be any easy way to fix the SKS servers themselves.
> 
> T

> _______________________________________________
> tor-project mailing list
> tor-project@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-project mailing list
tor-project@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

Follow-Ups:
- Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
  - From: Georg Koppen

References:
- Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
  - From: Arthur D. Edelstein
- Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
  - From: teor

Prev by Author: [tor-project] Tor Browser team meeting notes, 8 July
Next by Author: [tor-project] Tor's Defenders of Privacy Program
Previous by thread: Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
Next by thread: Re: [tor-project] PSA: flood attack against OpenPGP certificates underway
Index(es):
- Author
- Thread