OpenPGP protocol developer, Daniel Kahn Gillmor, has written up what is happening with an attack against the OpenPGP's infrastructure. In recent days the SKS keyserver network has come under a particularly hard to mitigate attack which is, problematically, also difficult to resolve permanently. The problem lies with the design of that part of the infrastructure. Although replacements are available, the move has not yet happened.
Some time in the last few weeks, my OpenPGP certificate, 0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 was flooded with bogus certifications which were uploaded to the SKS keyserver network.
SKS is known to be vulnerable to this kind of Certificate Flooding, and is difficult to address due to the synchronization mechanism of the SKS pool. (SKS's synchronization assumes that all keyservers have the same set of filters). You can see discussion about this problem from a year ago along with earlier proposals for how to mitigate it. But none of those proposals have quite come to fruition, and people are still reliant on the SKS network.
Also covered at Vice as Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem and ZDNet
Earlier on SN: Op-Ed: Why I'm Not Giving Up on PGP (2016)
An Op-Ed piece from ArsTechnica:
Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015. The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous."
In this article I want to respond to the points that Filippo raises. In short, Filippo is right about some of the details, but wrong about the big picture. For the record, I work on GnuPG, the most popular OpenPGP implementation.
(Score: 2) by Runaway1956 on Thursday July 04, @08:44PM
It's pretty obvious that this attack can make it impossible for a new installation to download the keys necessary to install updates and/or additional software. But, those people who have a working environment shouldn't be affected, should they? My own machine has used the same keys for a couple years, only adding one or two keys more recently. Updates for such machines aren't threatened, are they?
