Security Market Segment LS
Tuesday, 02 July 2019 07:31

Certificate poisoning puts Tor network, Linux updates at risk Featured

Certificate poisoning puts Tor network, Linux updates at risk Image by tumbledore from Pixabay

An attack on a key server and the subsequent poisoning of the certificates of two OpenPGP contributors — Robert Hansen and Daniel Gillmor — has created a situation where the only safe approach is for people to stop retrieving data from the SKS keyserver network.

A number of certificates associated with the Tor project have also been flooded. The Tor network is used for anonymously accessing sites on the Web.

Hansen, who has been part of the OpenPGP community for the last 27 years, warned it could get worse. "This attack cannot be mitigated by the SKS keyserver network in any reasonable time period," he said in a post on GitHub.

"It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network."

The software running the key server has not been maintained because it is written in the OCaml language as a proof-of-concept. The design is baked into the entire infrastructure meaning that a rewrite would be an impossibly arduous task.

The certificate spamming attack took place last week and exploited a defect in the OpenPGP protocol to poison the two developers' certificates.

In a note on GitHub, Hansen said anyone who tried to import a poisoned certificate into a vulnerable OpenPGP installation would break their installation in ways that would be very hard to debug.

"Poisoned certificates are already on the SKS keyserver network," he said. "There is no reason to believe the attacker will stop at just poisoning two certificates.

"Further, given the ease of the attack and the highly publicised success of the attack, it is prudent to believe other certificates will soon be poisoned."

One of the common implementations of OpenPGP is the GnuPG package which is used on all Linux distributions. "The number one use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG," Hansen said.

"If someone were to poison a vendor's public certificate and upload it to the keyserver network, the next time a system administrator refreshed their keyring from the keyserver network the vendor's now-poisoned certificate would be downloaded.

"At that point upgrades become impossible because the authenticity of downloaded packages cannot be verified. Even downloading the vendor's certificate and re-importing it would be of no use, because GnuPG would choke trying to import the new certificate. It is not hard to imagine how motivated adversaries could employ this against a Linux-based computer network."

Hansen advised the following as a short-term mitigation:

"Users who are confident editing their GnuPG configuration files should follow the following process," he said

"Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.

"Open dirmngr.conf in a text editor. Add the line keyserver hkps:// to the end of it."

He said if one knew of a particular certificate that was poisoned, one could try to delete it. "This normally goes pretty quickly. If your OpenPGP installation becomes usable again, congratulations. Acquire a new unpoisoned copy of the certificate and import that.

"If you don't know which certificate is poisoned, your best bet is to get a list of all your certificate IDs, delete your keyrings completely, and rebuild from scratch using known-good copies of the public certificates."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments