, 8 tweets, 2 min read Read on Twitter
The PGP (SKS) net server network is under attack, and it seems pretty damn bad. gist.github.com/rjhansen/67ab9…
Read the post obviously. But the TL;DR is that someone is spamming the keys of certain GnuPG contributors with huge numbers of extra signature attestations, and GnuPG can’t deal with it.
The problem seems basically unfixable, and oh god, of course the reason involves unmaintained academic code written in OCaml.
The attacker has targeted two active OpenPGP/GnuPG developers in particular: Robert Hansen and DKG. I hate that someone is doing this. But I also recognize why they’re doing it. And it kind of tears me up.
There’s been a debate in the crypto community about whether the OpenPGP infrastructure is worth carrying on or whether it should be thrown out and replaced. This attack is obviously a very powerful argument for the latter. But it’s also a crappy thing to do to people.
See DKG’s blog post linked from the bottom of the above post. I’d propose that making DKG think about walking away from the ecosystem is maybe part of the attacker’s goal. I hope he doesn’t.
Not, mind you, because I’m excited about the OpenPGP ecosystem continuing to exist. The fact that critical portions of the code are written in unmaintainable languages should make it obvious that’s a bad idea.

But this is just a crummy way for things to happen.
(But, they cry, GnuPG is needed for so much more than encryption. It’s also needed for signing critical packages. Maybe that’s not the greatest idea either.)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!