[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Another Poison Key?
|
From: |
Yegor Timoshenko |
|
Subject: |
Re: [Sks-devel] Another Poison Key? |
|
Date: |
Tue, 22 Jan 2019 11:22:49 -0000 |
Ok, so that was created with my program:
https://gitlab.com/yegortimoshenko/sks-exploits/blob/807ca89c0c2192ccb33d908ec2974779735805d8/sks-fake-uid/main.go#L15
Relevant issue:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/60
> I know it is not a solution, but... is there any way to
> blacklist keys? If there was a way, at least I could blacklist
> manually these attacks, even if I have to check every day.
Sure, here is an updated patch that blacklists this key, as well
as the older poison key:
https://gist.github.com/yegortimoshenko/781c880be8f1b8a91c9c23fa83a35d58
(based off patch by Shengjing Zhu)
There are several problems with this approach:
1. Future updates for the key will be denied, including
legitimate ones by key holder (FreePBX team). 2. DoS is still
possible just by accessing/fetching the key. To fix that, you'll
have to remove the DoS packets (large user packets with random
gibberish, not valid per OpenPGP packet spec, does not validate
cryptographically) or the whole key. 3. Anyone can create another
poison key at any time and there's no way to fix that without
breaking compat, it's a fundamental flaw :-(
Re: [Sks-devel] Another Poison Key?, Gabor Kiss, 2019/01/18