Kofi Anash 
Updated July 17th, 2019
Two contributors to the OpenPGP community have become the victims of certificate spamming attack by hackers.
The attack took place last month and used a defect in the OpenPGP protocol itself in order to “poison” the victims’ OpenPGP certificates. The two people targeted by the attacks were Robert J Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”.
Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways, said Hansen.
“Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at poisoning just two. Given the ease of the attack and the highly publicised success of the attack, it is prudent to believe other certificates will soon be poisoned,” he said in a post on Github.
The hacker initiates the attack by adding signatures to a certificate in the keyserver network. Normally, these signatures are statements from other people represented by their own public certificates. The signature proves that this certificate really belongs to that particular individual.
The OpenPGP specification puts no limitation on how many signatures can be attached to a certificate. The keyserver network handles certificates with up to about 150,000 signatures.
Both Hansen and Gillmor have had so many signatures added to their public keys that they have become all but unusable.
Hansen said the consequences of this are “devastating”.
“There are a few major takeaways and all of them are bad. If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation. Poisoned certificates cannot be deleted from the keyserver network. The number of deliberately poisoned certificates, currently at only a few, will only rise over time. We do not know whether the attackers are intent on poisoning other certificates. We do not even know the scope of the damage.”
Hansen added that the attack cannot be mitigated by the SKS keyserver network in any reasonable time period.
“It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network,” Hansen added.
Jake Moore, cybersecurity specialist at ESET, told SC Media UK that although they say “if it ain’t broke, don’t fix it” may work in some situations, when it comes to cyber-security, we should be thinking about zero-trust and assume everything is vulnerable.
“Many legendary security protocols are in need of a facelift and this is a great example of why,” he said.
“Although this is using a relatively old technique, this attack is actually quite impressive. Short term mitigation of disabling automatic refreshing of the certificate is not the best weapon here, but still may help thwart the attack’s possible impact. Users who believe they are high-risk may even need to think about stopping using the keyserver altogether until further work is completed and a solution to this problem is generated.”
Kevin Bocek, VP security strategy & threat intelligence at Venafi, told SC Media UK that this attack shows how powerful certificates of all types can be: disabling software, especially critical software like encryption.
“While this attack would not be a risk for TLS certificates directly, since signatures are controlled by a CA very differently than the open PGP servers, it shows the bad guys understand they are powerful weapons. More worrisome is the daily misuse of TLS certifies to enable phishing and theft of code signing certificates to evade even next gen AV,” he said.
