https://community.isc2.org/t5/Tech-Talk/Certificate-Poisoning-Attacks/m-p/24715#M1466 <P>This one has been flying below the radar for weeks, but has <STRONG>HUGE consequences</STRONG> for anyone (think CERT organizations!) that rely upon the&nbsp;<STRONG>Secure Key Servers (SKS) network</STRONG> to distribute <STRONG>OpenPGP&nbsp;public-keys</STRONG>.</P><P>&nbsp;</P><P>It's been known for about 10 years (yes, really that long) that certificate poisoning was a plausible attack. Here's what a poisoned certificate looks <A href="https://keyserver.escomposlinux.org/pks/lookup?search=Robert+J+Hansen&amp;op=vindex" target="_blank" rel="noopener">like</A>. Which one do you know to trust out of the 150,000 that are signed? See the problem.</P><P>&nbsp;</P><P><EM>Any time GnuPG has to deal with such a spammed certificate, GnuPG grinds to a halt. It doesn’t stop, per se, but it gets wedged for so long it is for all intents and purposes completely unusable.</EM></P><P>&nbsp;</P><P>To say that Robert J Hansen&nbsp;and&nbsp;Daniel K Gillmoor are a "little" upset with this is an understatement because it stands for everything they have worked for. Read there Github response <A href="https://gist.github.com/rjhansen" target="_blank" rel="noopener">here</A>.</P><P>&nbsp;</P><P>What would you do if your "<SPAN><EM>public cryptographic identity has been spammed to the point where it is unusable in standard workflows"?</EM></SPAN></P><P>&nbsp;</P><P><SPAN><EM>Ps. Also read <A href="https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html" target="_blank" rel="noopener">dkg's blog</A> for the technical details.</EM></SPAN></P> Mon, 09 Oct 2023 09:15:29 GMT AppDefects 2023-10-09T09:15:29Z https://community.isc2.org/t5/Tech-Talk/Certificate-Poisoning-Attacks/m-p/24715#M1466 <P>This one has been flying below the radar for weeks, but has <STRONG>HUGE consequences</STRONG> for anyone (think CERT organizations!) that rely upon the&nbsp;<STRONG>Secure Key Servers (SKS) network</STRONG> to distribute <STRONG>OpenPGP&nbsp;public-keys</STRONG>.</P><P>&nbsp;</P><P>It's been known for about 10 years (yes, really that long) that certificate poisoning was a plausible attack. Here's what a poisoned certificate looks <A href="https://keyserver.escomposlinux.org/pks/lookup?search=Robert+J+Hansen&amp;op=vindex" target="_blank" rel="noopener">like</A>. Which one do you know to trust out of the 150,000 that are signed? See the problem.</P><P>&nbsp;</P><P><EM>Any time GnuPG has to deal with such a spammed certificate, GnuPG grinds to a halt. It doesn’t stop, per se, but it gets wedged for so long it is for all intents and purposes completely unusable.</EM></P><P>&nbsp;</P><P>To say that Robert J Hansen&nbsp;and&nbsp;Daniel K Gillmoor are a "little" upset with this is an understatement because it stands for everything they have worked for. Read there Github response <A href="https://gist.github.com/rjhansen" target="_blank" rel="noopener">here</A>.</P><P>&nbsp;</P><P>What would you do if your "<SPAN><EM>public cryptographic identity has been spammed to the point where it is unusable in standard workflows"?</EM></SPAN></P><P>&nbsp;</P><P><SPAN><EM>Ps. Also read <A href="https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html" target="_blank" rel="noopener">dkg's blog</A> for the technical details.</EM></SPAN></P> Mon, 09 Oct 2023 09:15:29 GMT https://community.isc2.org/t5/Tech-Talk/Certificate-Poisoning-Attacks/m-p/24715#M1466 AppDefects 2023-10-09T09:15:29Z