Sign In

Communications of the ACM

ACM News

Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.

Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients.

Credit: Getty Images

Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What's worse, there may be no way to stop them.

Last week, contributors to the PGP protocol GnuPG noticed that someone was "poisoning" or "flooding" their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.

It's unclear who's behind these attacks, but the targets are Robert J. Hansen and Daniel Kahn Gillmor, both OpenPGP protocol developers.

"We've known for a decade this attack is possible. It's now here and it's devastating," Hansen wrote in his attack post-mortem.

"There's a vast number of people being put in jeopardy and I don't even know who they are," Hansen said in a phone call. "I want to fix this, and I don't even know who I should be talking to."

 

From Motherboard
View Full Article

 


 

No entries found