SKS Keyserver Network Attack: Consequences
This work is released under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Back in late February, the Internet Freedom Festival put together a roundtable of communications security nerds to help dissidents in Venezuela figure out how to organize and communicate in the face of widespread DNS poisoning. I contributed a brief HOWTO explaining what the Maduro regime was doing and some simple, effective mitigations. At the very top of the HOWTO was a paragraph of security considerations. Chief among them was a caution that this document came with an OpenPGP digital signature: before relying on the information in the document they ought ensure nobody had tampered with it, either to install malware into the PDF or to alter the advice I was giving.
I put this HOWTO out in the wild. I've had four people send me thank-you notes for writing it. I figure that means it's been seen by between four and four hundred people. The numbers aren't important, really.
What's important is my instructions told them to check the digital signature. And today, if they do this it is overwhelmingly likely they'll get a poisoned certificate from the keyserver network and their GnuPG installation will break horribly. They're in Venezuela, they're trying to organize for democratic change, they're being surveilled by Maduro, and now this … I don't even know what to call this attacker. There are no polite words. There is only "this sonufabitch."
So this sonufabitch has broken one of the important tools used by Venezuelan activists.
And then I start thinking about all of the other groups I've supported in the last year. Journalists covering Syria and Gaza, for instance. Or …
I gave them excellent advice. Check the signature on this document before you trust it.
And now, thanks to this sonufabitch, if they follow the best practices of communication security they will horribly break their tools.
For much of the keyserver network's existence we had literally no complaints about privacy. Literally none. Around 2000 people began to fear that by putting their email address in the keyserver network they might open themselves to receiving spam. There was some foundation for that fear, but the consensus opinion from the people who actually knew what was going on was that it was foolish to base your anti-spam strategy on keeping the spammers from discovering your email address.
So we ignored it. "Yep, there's a minor risk there, yep, we've done experiments, yep, posting your email address on the keyserver network is associated with a slight increase in spam received. But the increase is so slight we're not going to fix it. Would you like some advice on effective spam filtering?"
People who understood the spam fight agreed with us. But a whole lot of people didn't and made their displeasure — and very often their shocking ignorance — known at high volume.
We ignored them, which was the right thing to do. You don't let people who don't understand problems dictate which problems will be solved.
Then came September 2010. One keyserver operator in the European Union, Peter Pramberger, found himself facing a lawsuit by an OpenPGP user who was angry he could not have his email address deleted from the keyservers. Under EU data privacy regulations he had the right to demand this, but the keyserver network specifically lacked the capability to comply. It was designed that way for a reason.
Peter had no good way out. It would cost him tens of thousands of euros to take this through a court process, and at the end of the court process there was no guarantee he would be excused from an impossible requirement. Peter took down his keyserver.
September 2010 began the Great Assault on the Keyserver Network. All of us knew the handwriting was on the wall. All it took to strike down a keyserver in the EU was a couple of pages of privacy directive and the threat of a lawsuit.
The privacy trolls came out in force after that. They didn't want to hear technical explanations of difficulty, or lack of resources, or lack of competent people, or the fact none of us were paid and none of us could afford to take a year off work to do the overhaul they demanded.
Special criticism goes to the Electronic Frontier Foundation, which paid Micah Lee to publish premade attack tools to exploit these design misfeatures in the keyserver network. Oh, sure, "academic freedom" and "it was about research". I don't know if Micah's
trollwot toolkit was used in the most recent attacks. I know that if I was writing an attack tool that's where I'd start from.
Academic freedom should not be construed as permission to publish attack tools against a critical service with known vulnerabilities. Publishing a proof of concept is great and completely within the bounds of acceptable behavior. Publishing attack code is not.
Thanks for nothing, EFF.
January of last year — January 16, 2018 — one user threatened to do what pretty much happened this week. I'm not going to name this jerk, but it was a public message: you can find it in a public mailing list archive somewhere, if your Google-fu is good enough.
How about this; let's make "your" public key the ideal canditate for a global trollwot session, were every GnuPG Linux user can participate and add some funny things to "your" public key. This would be also interesting to see how many signatures a public key can bear.
Maybe people can do also other things with "your" pub key and post the used techniques here, like i did in the past with Erika Mustermann's pub key and the added fake sig from Werner.
This would imho give you and people you talk to in conferences etc. also a better view what i am talking about.
Let me make it clear, I'm not accusing that guy of being the responsible party. I don't have evidence to support that, or any other attribution. That jerk's raw sense of entitlement, and his callous talk about how he's vandalized certificates in the past, is not unusual to see among GnuPG's users. It's a long list.
But I tremble with fear for how people I know in hostile regimes are currently at risk of having their tools broken — and then I look at the preening self-righteousness of those louts who feel entitled to burn things down just to make a point.
They're children, the lot of them, children with matches and gasoline who are prancing and cavorting in our living rooms.
They have no idea the damage they do.
And more to the point, I genuinely don't think they care, either.
Sure, saw that. The problem lies within compromise 2: there is no "forward secrecy violation" in allowing user to backup chats. Not shipping that for all chats is a strict security downgrade from designs like Signal's double ratchet. Non forward secure schemes basically deny user ability to remove a message without destroying the whole identity that it was encrypted for.