gus: > Hi, > > On Wed, Jul 03, 2019 at 03:34:12AM +1000, teor wrote: >> Hi, >> >>> On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein@xxxxxxxxx> wrote: >>> >>> Someone pointed me to the following post by Robert J Hansen: >>> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f >>> >>> Below that post, there are a couple of comments indicating that at >>> least two of Tor's signing keys listed in >>> https://2019.www.torproject.org/docs/signing-keys.html.en >>> have been poisoned by this attack, including the Tor Browser >>> Developers key and Tor Project Archive key. We're wondering if all of >>> the keys on that page have been affected. (I haven't had a chance to >>> learn about this attack or how to check other keys, but I wanted to >>> share this ASAP.) >> >> Here's how you can mitigate the attack in your local GPG config: >> Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. >> Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. >> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations >> > > Just to add that you can also use keys.openpgp.org Onion Service[1]. > In dirmngr.conf add these lines: > > use-tor > keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion > > And because this *new* keyserver isn't synced with SKS pool, people will > need to submit their keys, for example: > > gpg --export your_address@xxxxxxxxxxx | curl -T - https://keys.openpgp.org > > After submitting your key, you will need to verify by email. > > I think Tor Browser Developers key should also be available in keys.openpgp.org. I don't think this will work as torbrowser@xxxxxxxxxxxxxx is not a functioning email address right now. Georg > cheers, > Gus > > [1] https://keys.openpgp.org/about/faq#tor > >> Here's how you can check your keyring for broken keys: >> https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 >> (You'll also need to do a sort -n and look for keys with a large number of >> signatures: 150,000 is the SKS limit, 100-1000 is typical.) >> >> There doesn't seem to be any easy way to fix the SKS servers themselves. >> >> T > >> _______________________________________________ >> tor-project mailing list >> tor-project@xxxxxxxxxxxxxxxxxxxx >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project > > > _______________________________________________ > tor-project mailing list > tor-project@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-project mailing list tor-project@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project