[tor-project] PSA: flood attack against OpenPGP certificates underway

Matt Traudt pastly at torproject.org
Mon Jul 22 12:54:40 UTC 2019


On 7/2/19 18:31, Arthur D. Edelstein wrote:
> Hi Everyone,
> 
> Someone pointed me to the following post by Robert J Hansen:
> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> 
> Below that post, there are a couple of comments indicating that at
> least two of Tor's signing keys listed in
> https://2019.www.torproject.org/docs/signing-keys.html.en
> have been poisoned by this attack, including the Tor Browser
> Developers key and Tor Project Archive key. We're wondering if all of
> the keys on that page have been affected. (I haven't had a chance to
> learn about this attack or how to check other keys, but I wanted to
> share this ASAP.)
> 
> Thanks,
> Arthur
> 

In case it's helpful, I've cleaned the Tor Browser signing key of the
poison signatures and put it up here[0] for the time being.

People[1] are attempting to download the poisoned key and experiencing
issues. The instructions[2] on Tor's website that they are following
still tells people to use the key server pool with poisoned keys. These
should probably be updated ASAP.

Let's please do something about this.

Matt

PS I figured out my GnuPG issues and how to fix them following these[3]
instructions.

[0]: https://demos.traudt.xyz/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.asc
[1]: https://redd.it/cgbza2
[2]: https://2019.www.torproject.org/docs/verifying-signatures.html.en
[3]:
https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/


More information about the tor-project mailing list