[opensuse] There is an ongoing attack on PGP that could affect us.
Hi What they do is sign a PGP key many thousand of times, increasing its size to megabytes. Tools like enigmail can not cope and crash. The key servers were designed to never delete anything, but obviously this attack (on just a few keys so far) overloads the system. If it spreads, it could potentially affect packaging and distribution of upgrades. More info: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f> If you feel this is offtopic, just follow up on <opensuse-offtopic@opensuse.org> -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
02.07.2019 14:53, Carlos E. R. пишет:
Hi
What they do is sign a PGP key many thousand of times, increasing its size to megabytes. Tools like enigmail can not cope and crash. The key servers were designed to never delete anything, but obviously this attack (on just a few keys so far) overloads the system. If it spreads, it could potentially affect packaging and distribution of upgrades.
More info: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
If you feel this is offtopic, just follow up on <opensuse-offtopic@opensuse.org>
I wonder if this is why I cannot start tor browser via launcher which hangs at processing PGP keys. Keyring used by launcher internally suddenly grow $ LC_ALL=C ll .local/share/torbrowser/gnupg_homedir/pub* -rw------- 1 bor bor 16753163 Jul 1 20:37 .local/share/torbrowser/gnupg_homedir/pubring.gpg -rw------- 1 bor bor 153667 Jun 28 19:51 .local/share/torbrowser/gnupg_homedir/pubring.gpg~ gpg requesting key from keyserver loops like mad.
On 03/07/2019 05.32, Andrei Borzenkov wrote:
02.07.2019 14:53, Carlos E. R. пишет:
Hi
What they do is sign a PGP key many thousand of times, increasing its size to megabytes. Tools like enigmail can not cope and crash. The key servers were designed to never delete anything, but obviously this attack (on just a few keys so far) overloads the system. If it spreads, it could potentially affect packaging and distribution of upgrades.
More info: <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>
If you feel this is offtopic, just follow up on <opensuse-offtopic@opensuse.org>
I wonder if this is why I cannot start tor browser via launcher which hangs at processing PGP keys. Keyring used by launcher internally suddenly grow
$ LC_ALL=C ll .local/share/torbrowser/gnupg_homedir/pub* -rw------- 1 bor bor 16753163 Jul 1 20:37 .local/share/torbrowser/gnupg_homedir/pubring.gpg -rw------- 1 bor bor 153667 Jun 28 19:51 .local/share/torbrowser/gnupg_homedir/pubring.gpg~
gpg requesting key from keyserver loops like mad.
Could be. Mine starts fast, but it is an old version. The Spanish article I read said the attack was on two keys: Robert J. Hansen and Daniel Kahn Gillmor. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Wed, Jul 3, 2019 at 1:37 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
I wonder if this is why I cannot start tor browser via launcher which hangs at processing PGP keys. ...
The Spanish article I read said the attack was on two keys: Robert J. Hansen and Daniel Kahn Gillmor.
https://github.com/micahflee/torbrowser-launcher/issues/400 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/07/2019 12.42, Andrei Borzenkov wrote:
On Wed, Jul 3, 2019 at 1:37 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
I wonder if this is why I cannot start tor browser via launcher which hangs at processing PGP keys. ...
The Spanish article I read said the attack was on two keys: Robert J. Hansen and Daniel Kahn Gillmor.
:-/ gpg: keyserver option 'verbose' is unknown gpg: refreshing 167 keys from hkp://pgp.mit.edu ... gpg: Total number processed: 84 gpg: unchanged: 83 gpg: new signatures: 1 gpg: marginals needed: 3 completes needed: 1 trust model: classic gpg: depth: 0 valid: 6 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 6u gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 1m, 1f, 0u gpg: next trustdb check due at 2024-05-02 real 87m1,629s <==== user 0m3,166s sys 0m0,255s cer@Telcontar:~> I don't remember if this is typical or not. .gnupg/pubring.gpg has the same size as before. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (2)
-
Andrei Borzenkov -
Carlos E. R.