[yegortimoshenko]

Can confirm, I've reported a similar attack [1], along with a few other vulnerabilities, and also published exploit tools. I ended up getting legal threats from two people that I see frequently posting to sks-devel@ mailing list.

Additionally, Robert (GnuPG maintainer who wrote this Gist) has attacked [2] another person who wrote a proof-of-concept filesystem on top of SKS that was intended to highlight how broken the design is.

I have not seen a single open source community that would treat full disclosure with such contempt.

At this point SKS network continues to run exclusively on community goodwill. This attack seems to be specifically targeted on GnuPG maintainers, if attacker were to deliberately try to break SKS, they would target someone like Linus Torvalds.

Alternatively, there are other published vulnerabilities with exploits that allow to take the whole SKS network down within half an hour, which were published more than a year ago. And yet, those have not been used, so far.

[1]: https://bitbucket.org/skskeyserver/sks-keyserver/issues/57

[2]: https://twitter.com/robertjhansen/status/1017863443356020738

[omeid2]

> if attacker were to deliberately try to break SKS, they would target someone like Linus Torvalds.

I wish they did, as I am hoping for an outcome similar to bitkeeper/git.

[mirimir]

> I have not seen a single open source community that would treat full disclosure with such contempt.

So what are the acceptable limits of this "full disclosure"?

[yegortimoshenko]

I should have said "any disclosure": EFail was coordinated (6 months notice [1]) and yet GnuPG officially downplayed the risk [2], launched #effail counter-campaign and blamed researchers for bad disclosure [3].

With regards to any of the existing SKS exploits specifically: even if any of them were to undergo coordinated disclosure, it wouldn't have helped: trollwot has been available for 5 years, both keyserver-fs and sks-exploit -- for more than a year. Embargoes don't last that long. All three tools still work.

What GnuPG Project effectively tries to do is to stop people from writing about any security problems period, especially those that are hard to fix.

[1]: https://gist.github.com/tqbf/2ef6bce7d16e9d3e76d790fd99c9618...

[2]: https://twitter.com/gnupg/status/995936684213723136

[3]: https://twitter.com/gnupg/status/996856990818283521

[mirimir]

OK, makes sense. And damn, 10 years is >>> a year.

So then, as a mere user, I gotta ask how so much of the Linux ecosystem -- and indeed, so much of the open-source ecosystem -- came to depend on such a fragile thing as the SKS keyserver network. That's kinda mind-blowing.