[solved] Mitigation for SKS keyserver attack

lieven's Avatar

lieven

13 Jul, 2019 08:36 AM

Hello,

I just read this article about a recent SKS keyserver attack that can cause the gpg tools to stop working properly after updating keys from a keyserver:

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Should we as GPGTool users follow the steps that are lined out in the mitigation section?

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#m...

I'm no specialist, just a happy user of the tools and I'd like to know if I should undertake steps to avoid being hit by this issue.

Best regards,
Lieven.

  1. 1 Posted by Mokanneling on 19 Jul, 2019 09:46 PM

    Mokanneling's Avatar

    I second and add to lieven's inquiry. Should GPGTools users follow the steps outlined in the following mitigations for the recent SKS keyserver attack (CVE-2019-13050), occurring in June 2019:

    https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

    https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#m...

    https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp...

    https://dev.gnupg.org/T3972

    Thank you,
    Mokanneling

  2. Support Staff 2 Posted by Steve on 22 Jul, 2019 09:14 AM

    Steve's Avatar

    Hi Lieven,

    one thing you can do with the current setup is open System Preferences > GPG Suite and disable the option to "Automatically download public keys".

    We are working on support for https://keys.openpgp.org and if you want to try it out you can download and install our latest hotfix GPG Suite.

    You will be asked to switch to the new key server and upload your public keys.

    If you try that, please let me know how that worked out for you.

    The nightly build also has MacGPG 2.2.17 which no longer downloads key signatures and by thus mitigates this attack.

    All the best,
    Steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  3. 3 Posted by lieven on 22 Jul, 2019 11:05 AM

    lieven's Avatar

    Hello Steve,

    I had switched to the new keyserver already before upgrading to the hotfix release.

    I have updated to the hotfix release, verified I'm indeed running gpg v2.2.17, and all seems to be working fine as we speak.

    Thanks for the feedback.

    Maybe one suggestion: should there be a notification on the website informing users of this issue?

    Best regards,
    Lieven.

  4. Support Staff 4 Posted by Steve on 22 Jul, 2019 11:10 AM

    Steve's Avatar

    We will discuss this internally. We really wanted to get the next release out earlier. But finalizing some details takes longer as we initially expected.

    So far we had very few reports of affected users in our support. The cases that have been reported, we were able to get fixed by removing the flooded key in question and then installing the nightly build.

    We are closely monitoring how this develops and will move forward accordingly.

  5. 5 Posted by lieven on 22 Jul, 2019 11:12 AM

    lieven's Avatar

    Thanks Steve,

    I've marked this issue as solved.

    Best regards,
    Lieven.

  6. lieven closed this discussion on 22 Jul, 2019 11:13 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac