|
From: | Jorge Gonzalez |
Subject: | Re: [Sks-devel] new attack on sks keyserver ? |
Date: | Tue, 2 Jul 2019 12:16:24 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 |
Hi, all, just in case anyone is interested, these are the first measures that I have implemented (or plan to implement) on ICIJ key server: * Stop accepting SKS updates from peers (by removing all peers
from our "membership" file). - DONE * Stop accepting SKS updates from external sources (by
configuring our HTTP gateway with a URL blacklist, so that POSTs
for new keys are not accepted except from our internal networks) -
ONGOING * Tell users to upload any needed PGP key manually to our own
keyserver - DONE * Tell users and partners to use ICIJ keyserver (and not others)
for communicating with us using PGP. - DONE * Stop serving poisoned certificates to any client (by
configuring our HTTP gateway with another URL blacklist, so that
GETs for poisoned keys are not allowed). I'm planning to use some
of the existing DB statistics scripts to extract the list of keys
which have more than N signatures (which N would be reasonable?
10? 30? 300?) - ONGOING Effectively, this has turned our server into a PGP island which does not receive updates, but it servers our porpose, since we regularly update it manually. YMMV. Any comments are welcome. J.
Jorge Gonzalez Villalonga
Systems Engineer The International Consortium of Investigative Journalists 910 17th Street NW, Suite 410 | Washington DC 20006 | United States Phone: +34 672 173 200 (Madrid, Spain) El 1/7/19 a las 12:17, Robert J. Hansen
escribió:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275fAs the guy who wrote that, yeah, I'm pretty sure we here are aware of it. ;) Kristian, who is the major figure behind the SKS keyserver network, has also apparently been targeted. We are keenly aware of the issue. But thank you for your thoughtfulness! :) _______________________________________________ Sks-devel mailing list address@hidden https://lists.nongnu.org/mailman/listinfo/sks-devel |
signature.asc
Description: OpenPGP digital signature
[Prev in Thread] | Current Thread | [Next in Thread] |