Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What’s worse, there may be no way to stop them.
Last week, contributors to the PGP protocol GnuPG noticed that someone was “poisoning” or “flooding” their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.
It’s unclear who’s behind these attacks, but the targets are Robert J. Hansen and Daniel Kahn Gillmor, both OpenPGP protocol developers.
“We've known for a decade this attack is possible. It's now here and it's devastating,” Hansen wrote in his attack post-mortem.
“There’s a vast number of people being put in jeopardy and I don’t even know who they are,” Hansen said in a phone call. “I want to fix this, and I don’t even know who I should be talking to.”
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Gillmor had a similarly grim conclusion: “This is a mess, and it's a mess a long time coming,” he wrote in his own analysis of the attack.
The issue lies with something called SKS, or Synchronizing Key Server. These are a federated and decentralized network of servers that facilitate the discovery and distribution of public PGP digital certificates used by developers. These are unique, hard to forge documents that are public and are necessary to establish secure, encrypted communications. As Hansen explains, these were designed to allow people to freely append certifications or signature to any certificate, and they were designed so that it was impossible to delete them.
“The OpenPGP specification puts no limitation on how many signatures can be attached to a certificate. The keyserver network handles certificates with up to about 150,000 signatures. “GnuPG, on the other hand … doesn't.” Hansen wrote, referring to another implementation of OpenPGP. Any time GnuPG has to deal with such a spammed certificate, GnuPG grinds to a halt. It doesn't stop, per se, but it gets wedged for so long it is for all intents and purposes completely unusable.”
For the sake of being very clear here, this attack takes advantage of a feature, not a bug of the PGP ecosystem.
“The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers,” Gillmor explained.
In practice, this means users can’t verify the authenticity of packages, and their PGP-friendly mail software, such as Enigmail, may break down, according to Hansen.
If you think this is bad, consider this: the SKS software was written in an obscure language by a PhD student for his thesis. And because of that, according to Hansen, “there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”
In other words, these attacks are here to stay.
The good news, according to Hansen, is that PGP can survive without the SKS network.
“No one should panic. PGP is not broken, PGP is not dead,” Hansen said.
Subscribe to our new cybersecurity podcast, CYBER.