sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

From: Tom at FlowCrypt
Subject: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Date: Sat, 14 Jul 2018 03:01:31 +0000
> that would probably be an incomplete mitigation:

Sounds better than no solution!

> -people can use the photo id field instead

Size limit can be enforced.

> -people can use valid e-mail addresses under an own domain ("catch-all")

As long as it can validate, seems fine to me. Better than no verification.

> -your keyserver suddenly can be abused for email spamming

Any online service that allows registrations can be abused for email spamming, if you consider registration emails an "email spam".

--------

Another limitation: you cannot apply the email verification process to the recon algo, because the user would get flooded with verification emails. That means you could have a malicious SKS implementation flooding others with non-verified emails. Again, not perfect, but a good start.



On Sat, Jul 14, 2018 at 2:50 AM, Tobias Frei <address@hidden> wrote:
Hi Ryan,

that would probably be an incomplete mitigation:

-people can use the photo id field instead
-people can use valid e-mail addresses under an own domain ("catch-all")
-your keyserver suddenly can be abused for email spamming

Best regards
Tobias Frei



Am 14.07.2018 um 02:57 schrieb Ryan Hunt:
Could this be mitigated by validating email addresses as they come in? Like sending an encrypted mail to the said address with a return token, If the token is not provided the key is never put into the SKS rotation?

I think a solution like this would be much more effective, and if there was some desire to conform to GDPR at some point it would be pretty much required first step because I cannot see how we could possibly remove keys without a command signed by that key, and putting this in place would make that ‘no more difficult to remove than it was to add’..

Regards,
-Ryan Hunt

On Jul 13, 2018, at 11:20 AM, Phil Pennock <address@hidden> wrote:

Signed PGP part
Heads-up:

https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e
https://github.com/yakamok/keyserver-fs
https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under

This `keyserver-fs` is software to attack SKS, using it as a filesystem, in
what appears to be a deliberate attack on the viability of continuing to
run a keyserver.

The author is upset that there's no deletion, so is pissing in the pool.

-Phil




_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel


_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

reply via email to
[Prev in Thread] Current Thread [Next in Thread]