* Carlos E. R. <robin.listas@telefonica.net> [01-23-23 13:23]:
On 2023-01-23 19:12, Per Jessen wrote:
Carlos E. R. wrote:
So, all PGP servers I know are broken, which is what I said.
You did?
Well, not being much of a PGP user, I can't add much - maybe look for some new servers? I think the German c't magazine has one, for instance.
No, it is a known issue. There was an attack on them some years back, filling them up to capacity with garbage data. Data that by design can not be deleted.
<https://threatpost.com/pgp-ecosystem-targeted-in-poisoning-attacks/146240/>
5 jul 2019
«PGP Ecosystem Targeted in ‘Poisoning’ Attacks
Two researchers are being singled out in what are called PGP poisoning or flood attacks that render the authentication tool unusable for victims.
A long-feared attack vector used against Pretty Good Privacy, the framework used to authenticate and keep email messages private, is being exploited for the first time. The attack, which takes aim at keyserver verification directories, makes it impossible for Pretty Good Privacy (PGP) to work properly for those targeted in attacks.
Unknown adversaries have singled out two recognized experts in the field of OpenPGP email encryption, Robert Hansen and Daniel Gillmor, in a series of targeted attacks. OpenPGP refers to the standard that uses the cryptographic privacy and authentication program PGP.
“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community… This attack exploited a defect in the OpenPGP protocol itself in order to ‘poison’ [Hansen] and [Gillmor’s] OpenPGP certificates,” wrote Hansen in a technical description of the attacks.»
<https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
<https://www.rossde.com/PGP/pgp_keyserv.html>
«NOTE WELL:Many key servers have stopped synchronizing with each other because of hostile attacks. These attacks involve uploading fraudulent public keys and valid public keys with fraudulent signatures. There might even be cause to reject using key servers at all. For details, see SKS Keyserver Network Under Attack.
In checking my own public keys on various key servers, I now see unknown signatures. In many cases, the public key of the signer is NOT on the server.
The best protection against injury from a fraudulent public keys is to practice what is described in the Web of Trust. After all, few key servers authenticate the public keys uploaded to them. Instead, they accept all uploads. Thus, a user must separately authenticate any public key obtained from a key server.»
-> <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
SKS Keyserver Network Under Attack
So the only thing people can do is share their keys manually, attaching them to email.
ah, great! more worthless electrons :(
-- Cheers / Saludos,
Carlos E. R.
(from Elesar, using openSUSE Leap 15.4)
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc