OpenPGP Certificate Attack Worries Experts

Found on DUO on Saturday, 06 July 2019
Browse Internet

The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates.

The OpenPGP specification doesn’t have any upper limit on the number of signatures that a certificate can have, so any user or group of users can add signatures to a given certificate ad infinitum. That wouldn’t necessarily be a problem, except for the fact that GnuPG, one of the more popular packages that implements the OpenPGP specification, doesn’t handle certificates with extremely large numbers of signatures very well. In fact, GnuPG will essentially stop working when it attempts to import one of those certificates.

Some kid in a basement must be really angry there. That, or some of the usual suspects who do not like secure and private communication.