@alice I'm just being silly, but there is a vulnerability in an OpenPGP software that allows poisoing certificates on key servers. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
In the link above, one of the causes given to the flaw is that the software is written in an “obscure” language called OCaml, and several tech news websites have relayed this statement as-is ^^
@otini I don't really like the point where:
1) the "bug" (which is more a design choice than a bug) was discovered 10 years before
2) The bug is not on the server (which is implemented in OCaml) but at the reception of poisoned certificates by the client - and, in this case, by GnuPG (implemented in C)
In fact, the point is the client is not able to handle such poisoned keys (https://news.ycombinator.com/item?id=20318565).
The FUD about the server or the language is a bullshit where the problem is somewhere else.
@dinosaure Wow then the whole post about the server is completely irrelevant…
@otini @dinosaure well, a "fix" is to have servers which only accept fewer certificates (and/or validate them being good -- but then an attacker can properly sign any public key, and this will pass the check). but then your client still has to deal with misbehaving servers --> the fix is not easy, and IMHO key servers are bad (since they expose timestamps and the social network) anyways. so why not just switch them off and try another way of exchanging public keys!?
@otini @dinosaure see also yminsky reply (copied to) https://www.reddit.com/r/ocaml/comments/c7fs0p/sks_keyserver_network_under_attack_github/esq3shb/
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!