Hey everyone,
As some of you may have read:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
or other media reports about vulnerabilities of the current gpg keyserver software/network/policy.
TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks.
I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not.
Thoughts?
kevin
El mar., 2 jul. 2019 a las 18:48, Kevin Fenzi (kevin@scrye.com) escribió:
Hey everyone,
As some of you may have read:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
or other media reports about vulnerabilities of the current gpg keyserver software/network/policy.
TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks.
I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not.
Thoughts?
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
Hello Kevin, I agree with you about shutting down `keys.fedoraproject.org`. Seems SKS (the software used by the keyservers) will be not safe to use until someone (smart and who code OCaml and who understands the algorithm) can address this problem.
As it says here: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation... "... At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately...."
So +1 to turn it off. Best, Emiliano.
-- iex(1)> [104, 116, 116, 112, 58, 47, 47, 103, 105, 116, 104, 117, 98, 46, 99 , 111, 109, 47, 101, 100, 118, 109]
+1 to turning it off as well.
I hope it can be fixed or an alternative created, but best to not have Fedora users experience any issues due to the issue.
Charles
On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote:
Hey everyone,
As some of you may have read:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
or other media reports about vulnerabilities of the current gpg keyserver software/network/policy.
TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks.
I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not.
Having read this, +1 to decommission this service. This is quite saddening though :(
I'd to hear nb's opinion on this but I think we may want to announce our intent and turn it off somewhat soon.
Pierre
On Fri, Jul 5, 2019 at 11:15 AM Pierre-Yves Chibon pingou@pingoured.fr wrote:
On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote:
Hey everyone,
As some of you may have read:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
or other media reports about vulnerabilities of the current gpg keyserver software/network/policy.
TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks.
I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not.
Having read this, +1 to decommission this service. This is quite saddening though :(
I'd to hear nb's opinion on this but I think we may want to announce our intent and turn it off somewhat soon.
As someone who relies on keys.fedoraproject.org quite a lot, I'm sad that we have to decommission it...
If we ever brought it back, we'd probably want to configure the server to not be part of the SKS server ring...
-- 真実はいつも一つ!/ Always, there's only one truth!
infrastructure@lists.fedoraproject.org