tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/101096-mitigation-for-sks-keyserver-attackGPGTools: Discussion 2019-07-22T12:37:02Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/474340982019-07-19T21:46:52Z2019-07-19T21:46:55Z[solved] Mitigation for SKS keyserver attack<div><p>I second and add to lieven's inquiry. Should GPGTools users follow the steps outlined in the following mitigations for the recent SKS keyserver attack (CVE-2019-13050), occurring in June 2019:</p>
<p><a href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f">https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f</a></p>
<p><a href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations">https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#m...</a></p>
<p><a href="https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/">https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp...</a></p>
<p><a href="https://dev.gnupg.org/T3972">https://dev.gnupg.org/T3972</a></p>
<p>Thank you,<br>
Mokanneling</p></div>Mokannelingtag:gpgtools.tenderapp.com,2011-11-04:Comment/474340982019-07-22T09:14:51Z2019-07-22T09:14:51Z[solved] Mitigation for SKS keyserver attack<div><p>Hi Lieven,</p>
<p>one thing you can do with the current setup is open System Preferences > GPG Suite and disable the option to "Automatically download public keys".</p>
<p>We are working on support for <a href="https://keys.openpgp.org">https://keys.openpgp.org</a> and if you want to try it out you can download and install our <a href="https://releases.gpgtools.org/nightlies">latest hotfix GPG Suite</a>.</p>
<p>You will be asked to switch to the new key server and upload your public keys.</p>
<p>If you try that, please let me know how that worked out for you.</p>
<p>The nightly build also has MacGPG 2.2.17 which no longer downloads key signatures and by thus mitigates this attack.</p>
<p>All the best,<br>
Steve</p>
<p>Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/474340982019-07-22T11:05:11Z2019-07-22T11:05:11Z[solved] Mitigation for SKS keyserver attack<div><p>Hello Steve,</p>
<p>I had switched to the new keyserver already before upgrading to the hotfix release.</p>
<p>I have updated to the hotfix release, verified I'm indeed running gpg v2.2.17, and all seems to be working fine as we speak.</p>
<p>Thanks for the feedback.</p>
<p>Maybe one suggestion: should there be a notification on the website informing users of this issue?</p>
<p>Best regards,<br>
Lieven.</p></div>lieventag:gpgtools.tenderapp.com,2011-11-04:Comment/474340982019-07-22T11:10:47Z2019-07-22T11:10:47Z[solved] Mitigation for SKS keyserver attack<div><p>We will discuss this internally. We really wanted to get the next release out earlier. But finalizing some details takes longer as we initially expected.</p>
<p>So far we had very few reports of affected users in our support. The cases that have been reported, we were able to get fixed by removing the flooded key in question and then installing the nightly build.</p>
<p>We are closely monitoring how this develops and will move forward accordingly.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/474340982019-07-22T11:12:36Z2019-07-22T11:12:36Z[solved] Mitigation for SKS keyserver attack<div><p>Thanks Steve,</p>
<p>I've marked this issue as solved.</p>
<p>Best regards,<br>
Lieven.</p></div>lieven