Contributors to the PGP protocol GnuPG claim that threat actors are “poisoning” their certificates, this means that attackers spam their certificate with a large number of signatures. The intent is to make it impossible for the PGP software to verify its authenticity.
Two prominent contributors at the PGP project, the developers Robert “rjh” Hansen and Daniel Kahn “dkg” Gillmor, confirmed that they were targeted by hackers who spammed their public cryptographic identities.
“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”).” Hansen wrote in a blog post. “This attack exploited a defect in the OpenPGP protocol itself in order to “poison” rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network.”
The attackers exploited a “defect” in the OpenPGP protocol to poison their certificates. Hansen explained that The standard keyserver software is called SKS, for “Synchronizing Key Server,” it was developed by a fellow named Yaron Minsky for his Ph.D thesis. It’s written in an unusual programming language called OCaml making it very difficult to maintain because it wasn’t designed for large-scale usage. Currently the software is unmaintained.
“Due to the above, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”explained Hansen.
Experts believe that threat actors will continue in poisoning certificates, the attack is very easy to carry out this implies that other hackers will attempt to exploit them.
Every time a user attempts to import the poisoned certificates would crash his software.
“We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” continues the post.
Unfortunately, the attack is hard to mitigate, in order to prevent the exposure to the attack is to stop retrieving certificates and data from the SKS (Synchronizing Key Server) keyserver network.
“The design goal of the keyserver network is “baked into” essentially every part of the infrastructure. This isn’t a case where there’s a bug that’s inhibiting the keyserver network from functioning correctly. “continues the developer. “Bugs are generally speaking fairly easy to fix once you know where the problem is. Changing design goals often requires an overhaul of such magnitude it may be better to just start over with a fresh sheet of paper. “
Gillmor explained that the problems are well known and were a long debated, there have been several proposals to mitigate the problems but none of them is easy to implement.
“The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers,” Gillmor concludes.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – SKS keyserver, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…
Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…
Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…
Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…
Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…
This website uses cookies.