[tor-project] PSA: flood attack against OpenPGP certificates underway

Arthur D. Edelstein arthuredelstein at gmail.com
Tue Jul 2 16:31:03 UTC 2019


Hi Everyone,

Someone pointed me to the following post by Robert J Hansen:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Below that post, there are a couple of comments indicating that at
least two of Tor's signing keys listed in
https://2019.www.torproject.org/docs/signing-keys.html.en
have been poisoned by this attack, including the Tor Browser
Developers key and Tor Project Archive key. We're wondering if all of
the keys on that page have been affected. (I haven't had a chance to
learn about this attack or how to check other keys, but I wanted to
share this ASAP.)

Thanks,
Arthur

On Fri, Jun 28, 2019 at 12:44 PM Antoine Beaupré <anarcat at torproject.org> wrote:
>
> Short update: I was just told that a similar problem has actually
> occurred with TPO infrastructure, back in February:
>
> https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html
>
> The affected key, at that time, was the deb.torproject.org signing key,
> which was signed by a key with a large UID. It's a different attack, but
> that can be mitigated in similar ways. The good key is still available here:
>
> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
>
> ... where signatures are also provided so that you do not have to use
> the key from the keyservers. The key is also available on
> keys.openpgp.org.
>
> A.
> --
> Antoine Beaupré
> torproject.org system administration
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project


More information about the tor-project mailing list