Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

From:	Ryan Hunt
Subject:	Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Date:	Fri, 13 Jul 2018 21:10:17 -0600

So when you respond back to the server with your token we simply check that 
your a human being.. also throttling and delays could be put in place to 
mitigate the effects of someone breaking past the bot detection as far as spam 
is concerned.. I’m not concerned with people putting private info in 
personally, just negating silly detail of service tactics like we are seeing 
here.

-Ryan

> On Jul 13, 2018, at 8:50 PM, Tobias Frei <address@hidden> wrote:
> 
> Hi Ryan,
> 
> that would probably be an incomplete mitigation:
> 
> -people can use the photo id field instead
> -people can use valid e-mail addresses under an own domain ("catch-all")
> -your keyserver suddenly can be abused for email spamming
> 
> Best regards
> Tobias Frei
> 
> 
> Am 14.07.2018 um 02:57 schrieb Ryan Hunt:
>> Could this be mitigated by validating email addresses as they come in? Like 
>> sending an encrypted mail to the said address with a return token, If the 
>> token is not provided the key is never put into the SKS rotation?
>> I think a solution like this would be much more effective, and if there was 
>> some desire to conform to GDPR at some point it would be pretty much 
>> required first step because I cannot see how we could possibly remove keys 
>> without a command signed by that key, and putting this in place would make 
>> that ‘no more difficult to remove than it was to add’..
>> Regards,
>> -Ryan Hunt
>>> On Jul 13, 2018, at 11:20 AM, Phil Pennock <address@hidden> wrote:
>>> 
>>> Signed PGP part
>>> Heads-up:
>>> 
>>> https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e
>>> https://github.com/yakamok/keyserver-fs
>>> https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under
>>> 
>>> This `keyserver-fs` is software to attack SKS, using it as a filesystem, in
>>> what appears to be a deliberate attack on the viability of continuing to
>>> run a keyserver.
>>> 
>>> The author is upset that there's no deletion, so is pissing in the pool.
>>> 
>>> -Phil
>>> 
>>> 
>> _______________________________________________
>> Sks-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS, (continued)

Prev by Date: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Next by Date: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Previous by thread: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Next by thread: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Index(es):
- Date
- Thread