SoylentNews is people
SoylentNews
OpenPGP protocol developer, Daniel Kahn Gillmor, has written up what is happening with an attack against the OpenPGP's infrastructure. In recent days the SKS keyserver network has come under a particularly hard to mitigate attack which is, problematically, also difficult to resolve permanently. The problem lies with the design of that part of the infrastructure. Although replacements are available, the move has not yet happened.
Some time in the last few weeks, my OpenPGP certificate, 0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 was flooded with bogus certifications which were uploaded to the SKS keyserver network.
SKS is known to be vulnerable to this kind of Certificate Flooding, and is difficult to address due to the synchronization mechanism of the SKS pool. (SKS's synchronization assumes that all keyservers have the same set of filters). You can see discussion about this problem from a year ago along with earlier proposals for how to mitigate it. But none of those proposals have quite come to fruition, and people are still reliant on the SKS network.
Also covered at Vice as Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem and ZDNet
Earlier on SN: Op-Ed: Why I'm Not Giving Up on PGP (2016)
(Score: 4, Informative) by vux984 on Thursday July 04 2019, @09:12PM
If they refresh/resync the certificates to get updated CRL (certificate revocation lists) etc then potentially that would fail. Depending on how well/poorly it copes with that failure, it may abort the process or it may continue on with the original certificates; or it may hang for hours processing these flooded keys... it sounds like enigmail for example is unusable trying to work with these flooded certs.
This could potentially allow information about revoked certificates to fail to get propagated which also represents a security risk.