My attempt to understand this - please correct liberally
Things I know today that I did not know yesterday
- The GnuPG (GPG) ecosystem seems to suffer from pre-heart bleed-OpenSSL levels of not enough investment and people
- The GPG ecosystem has a trivial DOS attack that can be mounted against it, with bad actors able to append thousands of keys to any users "account" effectively making it impossible to read that account, thus making anything signed by that account impossible to verify
- This may or may not mean that major distributions binary packages will simply stop being verifiable - it depends on who uses what key server in what chain of trust. We probably won't find out till more bad actors poison more wells
- This has been "well known" for some time but the solution is not obvious
- It seems that this is the reason keybase works like it does : if a user simply attests that key X is theirs in a second channel you can trust that as much as you trust the channel. it a key server is the only channel and for reasons will not delete the 150,000 bad keys
- There are many alternatives to GPG it seems - or at least to the sub-functions under its "brand". Signal to send message or minisign to sign documents - it do they have the same "OpenSSL" lack of support in them?
- Don't the million dollar companies like DocuSign use GPG?
So that's me - trying to work out if this is the end of the world or a storm in a teacup - thoughts welcome :-)
This roughly aligns with my understanding as well. The additional takeaways I'd add (that may or may not be accurate):
- Many security researchers disagree with the core idea of SKS servers in general (they're essentially just undeletable online storage that anyone can write to). The distributed "Web of Trust" model itself is considered untrustworthy.
- The vulnerability is triggered by the usage of the SKS servers. This is very bad for any piece of infrastructure that relies on them, but if you're only using local keys that you imported and verified yourself, this particular attack doesn't effect you.
- The PGP format itself is cumbersome and has problems (people want shorter keys, and they want a simpler format with less variability). So while this particular vulnerability only effects SKS servers, there's still a strong movement to get rid of PGP in its entirety.
- The fact that the people behind the SKS servers are reacting negatively and angrily may be reason to be worried about GPG in general, since we don't know if the maintainers would respond the same way to other vulnerabilities that aren't restricted to SKS servers.
Agreed - It would be nice to understand the dependency chain for SKS servers
And Inwoukd also like to understand what people mean by "get rid of GPG/PGP?" - it cannot mean get rid of keypairs, so it is just replace with some "nicer" code? what is the problem?
> - This may or may not mean that major distributions binary packages will simply stop being verifiable - it depends on who uses what key server in what chain of trust. We probably won't find out till more bad actors poison more wells
Debian keys come from keyring.debian.org, so ??? I'm guessing that chains of trust from there go through the SKS keyservers. If that's so, Debian updates will likely be hosed at some point. Unless you disable authentication.
I have noticed that Whonix now includes onion links to repositories. So maybe that'd be safe enough without GnuPG authentication. Yes?
Edit: It does look bad for the Debian family:
A recent guide[0] recommends pulling missing repository keys from hkp://pool.sks-keyservers.net:
> sudo apt update 2>&1 1>/dev/null | sed -ne 's/.NO_PUBKEY //p' | while read key; do if ! [[ ${keys[]} =~ "$key" ]]; then sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys "$key"; keys+=("$key"); fi; done
Just tweak that a hair, and you have a list of all Debian package keys in the keyserver. How long before some jerk hits them with trollwot? I wonder how many millions of Debian family installs could be blocked from updating.
Blame the SKS people, the Debian people, or whatever you like, but this could turn out very painful.
The only bright side, which seemed like a bug until this shit show, is that Debian etc by default don't search for missing keys.
Debian installations come with preinstalled keyring with the archive signing keys. Upgrades to that keyring are provided via packages, which are signed with the previous archive key. The same for Fedora and rpm. Public keyservers or web of trust are not involved.
On the internet you can obviously find all sorts of bad guides written by random people.
> - This may or may not mean that major distributions binary packages will simply stop being verifiable - it depends on who uses what key server in what chain of trust. We probably won't find out till more bad actors poison more wells
All distributions I know use a pre-shared keyring for package signing, distributed on the initial installation media. Public keyservers are not involved.
This is unaffected by any issues with web-of-trust and public keyservers.
Gnupg and Openssl didn't/doesn't suffer from lack of funding, they both suffer from hideous hacky code and money cannot fix that. There was a reason libressl gutted Openssl and created another API.
Things I know today that I did not know yesterday
- The GnuPG (GPG) ecosystem seems to suffer from pre-heart bleed-OpenSSL levels of not enough investment and people
- The GPG ecosystem has a trivial DOS attack that can be mounted against it, with bad actors able to append thousands of keys to any users "account" effectively making it impossible to read that account, thus making anything signed by that account impossible to verify
- This may or may not mean that major distributions binary packages will simply stop being verifiable - it depends on who uses what key server in what chain of trust. We probably won't find out till more bad actors poison more wells
- This has been "well known" for some time but the solution is not obvious
- It seems that this is the reason keybase works like it does : if a user simply attests that key X is theirs in a second channel you can trust that as much as you trust the channel. it a key server is the only channel and for reasons will not delete the 150,000 bad keys
- There are many alternatives to GPG it seems - or at least to the sub-functions under its "brand". Signal to send message or minisign to sign documents - it do they have the same "OpenSSL" lack of support in them?
- Don't the million dollar companies like DocuSign use GPG?
So that's me - trying to work out if this is the end of the world or a storm in a teacup - thoughts welcome :-)