GnuPG — "SKS Keyserver Network Under Attack":

gist.github.com/rjhansen/67ab9

"If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation."

"High-risk users should stop using the keyserver network immediately."

#gnupg #gpg #keyserver #infosec #security #cybersecurity

@infosechandbook
Temporary replacement can be keybase.io till SKS gets stable fix/replacement.

@cypherpunk

keybase.io is not a viable replacement. There are a lot of important keys (i.e. distro keys, signing keys for other software, …) that simply don't fit into the keybase model.

Also replacing something decentralized with something centralized especially in this (*hehe*) key position is a really bad idea.

There are various alternatives to the official SKS keyserver implementation, not perfect, but definitely better, because organisations can run it themselves.

@infosechandbook

Follow

@sheogorath
You are right, but I am at this moment not aware of any functional decentralized replacement for SKS.
Can you please be more specific, what did you have in mind?
Btw, I was concerned about journalists and activists who rely on SKS and something easy to use for key exchange.
@infosechandbook

@cypherpunk

Well, first of all, there is WKD, which, to be fair, is not a keyserver implementation by itself, but great for key exchange.

shivering-isles.com/Lets-disco

For keyserver implementations I'm thinking of things like the mailveleope keyserver, which isn't doing this background sync that SKS servers do, but at least self-hostable.

github.com/mailvelope/keyserve

I would still prefer WKD to find wider adoption.

@infosechandbook

@sheogorath
Thanks, didn't know of WKD till now. 😃
Mailvelope has been around for a while now but haven't seen much adoption from any community yet.
Hope we find some viable solutions.
Maybe now is the time for serious SKS improvement and rebranding.
@infosechandbook

Sorry for the necro-reply but SKS has no chances of revival.

Do check out https://keys.openpgp.org that in some respects is an improvement over SKS. Some projects, such as SecureDrop and NixOS already began their switch to keys.openpgp.org:

https://github.com/freedomofpress/securedrop/issues/4128

https://github.com/NixOS/nixpkgs/pull/63964

FWIW I still prefer WKD when possible (own domain or security conscious group of people such as kernel.org: https://www.kernel.org/category/signatures.html#using-the-web-key-directory) but keys.openpgp.org is good for the rest (generic e-mail providers, etc.)

@wiktor
Thanks for reply. Useful info.
I will try to setup both WDK and clone of keys.openpgp.org and see what has better usability in opensource pgp apps like Thunderbird/enigmail, PEP, OpenKeyChain, etc.
@sheogorath

Both Enigmail and OpenKeychain support WKD for some time (see my PR for OpenKeychain: https://github.com/open-keychain/open-keychain/pull/2314).

Recently they both switched to using keys.openpgp.org as the default keyserver as OpenKeychain developer is also behind keys.openpgp.org and Enigmail didn’t have any other choice.

WKD has the advantage of returning third-party signatures (if you care about the Web of Trust), keys.openpgp.org will strip them (this is by design). For a longer discussion see https://blogs.gentoo.org/mgorny/2019/07/04/sks-poisoning-keys-openpgp-org-hagrid-and-other-non-solutions/

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!