cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Advocate I

Certificate Poisoning Attacks

This one has been flying below the radar for weeks, but has HUGE consequences for anyone (think CERT organizations!) that rely upon the Secure Key Servers (SKS) network to distribute OpenPGP public-keys.

 

It's been known for about 10 years (yes, really that long) that certificate poisoning was a plausible attack. Here's what a poisoned certificate looks like. Which one do you know to trust out of the 150,000 that are signed? See the problem.

 

Any time GnuPG has to deal with such a spammed certificate, GnuPG grinds to a halt. It doesn’t stop, per se, but it gets wedged for so long it is for all intents and purposes completely unusable.

 

To say that Robert J Hansen and Daniel K Gillmoor are a "little" upset with this is an understatement because it stands for everything they have worked for. Read there Github response here.

 

What would you do if your "public cryptographic identity has been spammed to the point where it is unusable in standard workflows"?

 

Ps. Also read dkg's blog for the technical details.