Contributors to the PGP protocol GnuPG claim that threat actors are “poisoning” their certificates, this means that attackers spam their certificate with a large number of signatures. The intent is to make it impossible for the PGP software to verify its authenticity.
Two prominent contributors
“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”).” Hansen wrote in a blog post. “This attack exploited a defect in the OpenPGP protocol itself in order to “poison”
The attackers exploited a “defect” in the OpenPGP protocol to poison their certificates. Hansen explained that The standard keyserver software is called SKS, for “Synchronizing Key Server,” it was developed by a fellow named Yaron Minsky for his Ph.D thesis. It’s written in an unusual programming language called OCaml making it very difficult to maintain because it wasn’t designed for large-scale usage. Currently the software is unmaintained.
“Due to the above, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”explained Hansen.
Experts believe that threat actors will continue in poisoning certificates, the attack is very easy to carry out this implies that other hackers will attempt to exploit them.
Every time a user attempts to import the poisoned certificates would crash his software.
“We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” continues the post.
Unfortunately, the attack is hard to mitigate, in order to prevent the exposure to the attack is to stop retrieving certificates and data from the SKS (Synchronizing Key Server) keyserver network.
“The design goal of the keyserver network is “baked into” essentially every part of the infrastructure. This isn’t a case where there’s a bug that’s inhibiting the keyserver network from functioning correctly. “continues the developer. “Bugs are generally speaking fairly easy to fix once you know where the problem is. Changing design goals often requires an overhaul of such magnitude it may be better to just start over with a fresh sheet of paper. “
Gillmor explained that the problems are well known and were a long debated, there have been several proposals to mitigate the
“The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers,” Gillmor concludes.