[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Peering request from Zurich / Switzerland
From: |
Phil Pennock |
Subject: |
Re: [Sks-devel] Peering request from Zurich / Switzerland |
Date: |
Thu, 5 Jun 2014 21:21:56 -0400 |
On 2014-06-05 at 19:37 +0200, MSW-Technologies.de wrote:
> we have just set up a public keyserver located at:
>
> gpg.directory 11370
>
> The server is operated by NAG Netbone Digital AG (RIPE member) in Zurich,
> Switzerland.
According to <http://gpg.directory:11371/pks/lookup?op=stats> you are
running SKS 1.1.3 -- this has a known cross-site scripting
vulnerability, so you're soon going to be ineligible to be a member of
the main serving pool, if that matters to you.
The pool in question is pool.sks-keyservers.net, which is the target of
the keys.gnupg.net CNAME.
There's some good information at <https://sks-keyservers.net/> which it
might be worth having someone read.
You also _appear_ to not have a front-end reverse-proxy in front of your
server, which is why you're showing in red at
<https://sks-keyservers.net/status/>. You should be aware that SKS
serves a single request at a time, in the one thread, before accepting
the next request, so one slow client can DoS your service. Best current
practice is to deploy with a reverse proxy in front.
You might find this wiki page helpful:
<https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering>
Regards,
-Phil
--
My employer, Apcera Inc, is hiring sysadmin; primarily San Francisco:
http://www.apcera.com/jobs/#operations-engineer
(but all the mistakes in this email are made in my personal capacity)