Re: [liberationtech] PGP WOT
On Sun, 2014-03-23 at 16:08 -0400, Jonathan Wilkes wrote: Hi list, If I were so inclined couldn't I periodically query every publicly accessable PGP keyserver (maybe do it in a distributed manner) and upload a new key with the same name/email address as what was added since the last time I checked? Furthermore, couldn't I periodically query every publicly accessible PGP keyserver (maybe do it in a distributed manner) to see who signed what, and then mirror that web of trust with the keys I control? Furthermore, couldn't I also upload keys with same name/email addresses for any keys that existed before I started, lie about the creation date, and work those into my hall of mirrors? Yes. Which is why a web of trust that isn't grounded is more or less useless, and GnuPG, in its default configuration, will only accept a key as valid if there is a path of signatures to it from your own key. The keyservers are very useful for fetching keys for which you already know the fingerprint. Fetching keys just based on a name or an email address is not secure in the face of attacks like the one you just described. --ll -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] PGP WOT
Hi list, Hi, Please also search the list's archives -- and archives of tor-talk at torproject.org -- as in the last year or so there've been about 4 threads on WoT privacy/security issues that you are asking. Also check out: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices If you find those threads, please add URLs to the comments section of the above best-practices doc. ;-) Thanks, Lee -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] PGP WOT
Jonathan Wilkes writes: Furthermore, couldn't I periodically query every publicly accessible PGP keyserver (maybe do it in a distributed manner) to see who signed what, and then mirror that web of trust with the keys I control? Furthermore, couldn't I also upload keys with same name/email addresses for any keys that existed before I started, lie about the creation date, and work those into my hall of mirrors? Micah Lee's OHM talk addressed these problems: https://program.ohm2013.org/event/113.html https://github.com/micahflee/trollwot https://github.com/micahflee/trollwot/blob/master/trollwot.pdf (It doesn't really propose solutions, just highlights the problems very well.) -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] PGP WOT
On 24 Mar 2014, at 6:38 , Jonathan Wilkes jancs...@yahoo.com wrote: If I were so inclined couldn't I periodically query every publicly accessable PGP keyserver (maybe do it in a distributed manner) and upload a new key with the same name/email address as what was added since the last time I checked? Furthermore, couldn't I periodically query every publicly accessible PGP keyserver (maybe do it in a distributed manner) to see who signed what, and then mirror that web of trust with the keys I control? You could try that, but apart from what others have said, there is a practical obstacle: you must reliably MITM all messages to and from everyone whose key you’ve forged, or people will notice the key mismatch because their messages won’t decrypt or the signature won’t verify. If that happens, you’ve got to MITM discussions out-of-band which might lead to someone asking “Where did you get that key from?” You’ve also got to make sure that real keys forged in your web aren’t distributed through other trustworthy channels (for example, supplied with distro disks or printed on business cards). I think that even with the NSA’s resources, they’d be hard-pressed to pull that off on a global scale, although it might be feasible against a few small targeted groups for a limited time. In effect, the keyservers are a kind of provisionally TTP - in the cold-introduction problem, users have to trust them for want of anything better, but PGP tools should make clear that the trust involved should be regarded as weak and provisional until one can check the keys. It might be possible for key servers to help with this, since they could also provide a list of keys which produce a path to a specified key from a set of well-known keys, although this could be run as a separate and untrusted service provided someone had a mirror of the major keyservers. Furthermore, couldn't I also upload keys with same name/email addresses for any keys that existed before I started, lie about the creation date, and work those into my hall of mirrors? I think your other repliers have been a bit too sanguine about the power of the WOT here - yes, in theory there shouldn’t be any link from users own keys to your web, but in practice people are lazy, stupid, and inclined to over-rate people, so there will almost certainly be links into your web. Fortunately, these links should be weaker than the links to equivalent parts of the real web, and user agents ought to pick the key with the strongest trust link (and want users about the potential fake)[1]. You could attempt to circumvent that by making the links within your web stronger and denser, but that creates a dead giveaway that your web is the fake one when it is discovered. [1] Exceptions can be made for less trusted keys signed for the same address by a more trusted key if the less-trusted key is newer and stronger, because then that is likely to be a legitimate successor, and probably a few other circumstances, but you get the idea. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
