[solved] Mitigation for SKS keyserver attack
Hello,
I just read this article about a recent SKS keyserver attack that can cause the gpg tools to stop working properly after updating keys from a keyserver:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Should we as GPGTool users follow the steps that are lined out in the mitigation section?
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#m...
I'm no specialist, just a happy user of the tools and I'd like to know if I should undertake steps to avoid being hit by this issue.
Best regards,
Lieven.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Mokanneling on 19 Jul, 2019 09:46 PM
I second and add to lieven's inquiry. Should GPGTools users follow the steps outlined in the following mitigations for the recent SKS keyserver attack (CVE-2019-13050), occurring in June 2019:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#m...
https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp...
https://dev.gnupg.org/T3972
Thank you,
Mokanneling
Support Staff 2 Posted by Steve on 22 Jul, 2019 09:14 AM
Hi Lieven,
one thing you can do with the current setup is open System Preferences > GPG Suite and disable the option to "Automatically download public keys".
We are working on support for https://keys.openpgp.org and if you want to try it out you can download and install our latest hotfix GPG Suite.
You will be asked to switch to the new key server and upload your public keys.
If you try that, please let me know how that worked out for you.
The nightly build also has MacGPG 2.2.17 which no longer downloads key signatures and by thus mitigates this attack.
All the best,
Steve
Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.
3 Posted by lieven on 22 Jul, 2019 11:05 AM
Hello Steve,
I had switched to the new keyserver already before upgrading to the hotfix release.
I have updated to the hotfix release, verified I'm indeed running gpg v2.2.17, and all seems to be working fine as we speak.
Thanks for the feedback.
Maybe one suggestion: should there be a notification on the website informing users of this issue?
Best regards,
Lieven.
Support Staff 4 Posted by Steve on 22 Jul, 2019 11:10 AM
We will discuss this internally. We really wanted to get the next release out earlier. But finalizing some details takes longer as we initially expected.
So far we had very few reports of affected users in our support. The cases that have been reported, we were able to get fixed by removing the flooded key in question and then installing the nightly build.
We are closely monitoring how this develops and will move forward accordingly.
5 Posted by lieven on 22 Jul, 2019 11:12 AM
Thanks Steve,
I've marked this issue as solved.
Best regards,
Lieven.
lieven closed this discussion on 22 Jul, 2019 11:13 AM.