Public key spamming issue remains unfixed: Why is Tor so quiet about it?

We tried downloading the keyserver-crashing 0x4E2C6E8793298290 but it's still 'too large' to import

Security flaws enabling attackers to spam the public keys of public organisations haven't been fixed, it has been claimed.

Over the past few months, unknown attackers have been spamming the public keys of organisations like Tor so they cannot be used to verify code as they are too big to import and overload GPG.

In July, Bleeping Computer reported that attackers could halt OpenPGP installations and impact their ability to verify download packages by overwhelming them with dodgy signatures.

The attack, codenamed CVE-2019-13050, can have a significant effect on the operations of SequoiaPGP, GnuPG and JavaScript OpenPGP.

In a security post, the US National Institute of Standards and Technology explains: "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network.

"Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack."

But despite the severity of this flaw, people are concerned that organisations are not doing enough to prevent this known vulnerability from being leveraged in future attacks.

Responding to a blog by Tor, one person said: "Posts from Daniel Kahn Gilmore and R. J. Hansen make it clear that the key poisoning is very serious and has the potential to make it difficult for anyone to use GPG/PGP keys to verify the integrity of Tor Browser bundle downloads, Tails ISO images, Debian install ISO images, etc.

"Coming at a time when many Debian users are installing Buster (new stable) this attack has the potential to be particularly damaging. Unfortunately, it seems that debian.org has not yet posted prominent warnings to avoid trying to download the latest version of signing keys from the SKS keyserver network."

They claim that "Tor Project needs to address this issue with a dedicated blog post offering detailed advice on how to obtain and maintain a keyring holding the (public half of) the signing keys".

The poster added: "The actors are unknown but it seems particularly vicious that they targeted DKG who has been trying to fix this vulnerability for years. But we know that in recent weeks the viciousness of apparently state sponsored cyberattacks has dramatically increased."

Computing tried to download and import the signing key for Tor Browser but was unable to do so. The public keyservers timed out and a download of the key was too large (25 MB) to import using GPG. In a blog post Mitigating Poisoned PGP Certificates (CVE-2019-13050) Hansen describes a way of stripping out the dodgy signatures to make the key usable once again. However, the issue is that GPG will generally try to update keys automatically, making the spammed public keys unusable. It is not possible to remove affected keys from public keyservers.

We are surprised that Torproject and other affected projects have still not publicised the issue a month after it arose, warning users to take defensive action. After all, what is the point of offering an ultra-secure anonymous browser if users cannot verify the downloaded code as genuine? Indeed the page How can I verify Tor Browser's signature? still recomments importing the key and the issue is marked as 'closed' on maintainer Micah Lee's Torbrowser-launcher repository on GitHub.