Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

[InfoSec News <alerts () infosecnews org>]

https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem

By Lorenzo Franceschi-Bicchierai
Vice.com
July 3, 2019

Unknown attackers are spamming a core component of the ecosystem of the 
well-known encryption software PGP, breaking users' PGP installations and 
clients. What’s worse, there may be no way to stop them.

Last week, contributors to the PGP protocol GnuPG noticed that someone was 
"poisoning" or "flooding" their certificates. In this case, poisoning refers to 
an attack where someone spams a certificate with a large number of signatures 
or certifications. This makes it impossible for the the PGP software that 
people use to verify its authenticity, which can make the software unusable or 
break. In practice, according to one of the GnuPG developers targeted by this 
attack, the hackers could make it impossible for people using Linux to download 
updates, which are verified via PGP.

It's unclear who's behind these attacks, but the targets are Robert J. Hansen 
and Daniel Kahn Gillmor, both OpenPGP protocol developers.

"We've known for a decade this attack is possible. It's now here and it's 
devastating," Hansen wrote in his attack post-mortem.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_