sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] new attack on sks keyserver ?

From: me
Subject: Re: [Sks-devel] new attack on sks keyserver ?
Date: Tue, 2 Jul 2019 13:14:35 +0200 
Hi Jorge,

you might as well use keys.openpgp.org in that case.

you wont have to maintain broken software or deal with piosoned keys.

or you can even run your own instance of Hagrid if you want to maintain control.



Yakamo



On Tue, 2 Jul 2019 12:16:24 +0200
Jorge Gonzalez <address@hidden> wrote:

> Hi, all,
> 
> just in case anyone is interested, these are the first measures that I
> have implemented (or plan to implement) on ICIJ key server:
> 
> * Stop accepting SKS updates from peers (by removing all peers from our
> "membership" file). - DONE
> 
> * Stop accepting SKS updates from external sources (by configuring our
> HTTP gateway with a URL blacklist, so that POSTs for new keys are not
> accepted except from our internal networks) - ONGOING
> 
> * Tell users to upload any needed PGP key manually to our own keyserver
> - DONE
> 
> * Tell users and partners to use ICIJ keyserver (and not others) for
> communicating with us using PGP. - DONE
> 
> * Stop serving poisoned certificates to any client (by configuring our
> HTTP gateway with another URL blacklist, so that GETs for poisoned keys
> are not allowed). I'm planning to use some of the existing DB statistics
> scripts to extract the list of keys which have more than N signatures
> (which N would be reasonable? 10? 30? 300?) - ONGOING
> 
> Effectively, this has turned our server into a PGP island which does not
> receive updates, but it servers our porpose, since we regularly update
> it manually. YMMV.
> 
> Any comments are welcome.
> 
> J.
> 
> 
> *Jorge Gonzalez Villalonga*
> Systems Engineer
> *The International Consortium of Investigative Journalists*
> <https://www.icij.org>
> 910 17th Street NW, Suite 410 | Washington DC 20006 | United States
> Phone: +34 672 173 200 (Madrid, Spain)
> El 1/7/19 a las 12:17, Robert J. Hansen escribió:
> >> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> > As the guy who wrote that, yeah, I'm pretty sure we here are aware of
> > it.  ;)
> >
> > Kristian, who is the major figure behind the SKS keyserver network, has
> > also apparently been targeted.  We are keenly aware of the issue.  But
> > thank you for your thoughtfulness!  :)
> >
> > _______________________________________________
> > Sks-devel mailing list
> > address@hidden
> > https://lists.nongnu.org/mailman/listinfo/sks-devel


--
reply via email to
[Prev in Thread] Current Thread [Next in Thread]