Also note that, from what I understand, GPG automatically keeps a backup of the keyring, which is updated after every *successful* operation. You should be keeping regular backups of your public keyring in the first place, as it can become corrupt for any number of reasons ranging from power failures to ransomware. Even so, at worst it's a temporary denial of service attack. Third, it's a well-known vuln and every current version is patched. Here's a good article about the history of keyservers and attacks against them I don't necessarily agree with the author's opinions, but just to give you some background: Occasionally it will take a few minutes import certain keys, but I'm fine with that. Anecdotally, I've had "auto-retrieve-key" enabled (when verifying an signature, gpg will automatically download it from the keyserver if it's not in the keyring) for the past six months or so, and have imported probably 100 keys this way without issue. As one example, decided to give up and just stop accepting signatures altogether. In response, many servers have begun discarding signatures that are unknown, or those that don't link to an existing web of trust. Spamming attacks take up a lot of space and bandwidth on the keyservers themselves. Secondly, I believe most or all of the keyserver implementations have patched against this.
Here's a short summary of the vulnerability: You can completely avoid certificate spamming attacks by downloading the key from the project's website instead of a keyserver Of course, you must still use the same key authentication practices no matter where you get the key from. At the very least, you should do this with the key fingerprint. Ideally you should only have to import the key once, store it preferably on a read only media such as a CD or a paper QR code, and keep it forever.
First of all, this is only relevant when importing a new key or refreshing an existing key. I assume you're taking about CVE-2019-13050, aka certificate spamming (or signature spamming, or whatever you prefer to call it). Or, just make backups of your ~/.gnupg directory so you can restore it if anything happens.
If you're really worried, download keys only from the project website and not from a keyserver. What is "best practice" for verifying detached signatures of Tails ISO images and Tor Browser images going forward, given the keyring-bombing problem?
0 kommentar(er)
