On June 12th 2019 we wrote a blog post about a new GnuPG server being launced (keys.openpgp.org).
Yesterday Robert J Hansen published a text about vulnerabilities in the widely used SKS keyserver network. As far as we understand the new key server at keys.openpgp.org will solve many of the vulnerabilities found in the SKS keyservers.
We guess we will publish more posts on this subject the coming days! Until then it is up to each and one to read the text by Robert and to take action acordingly! If you are not subscribing to the email@example.com e-mail list we strongly recommend you to do so now to get updates on the subject!
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.
For a long time the SKS Keyserver pool has been a de facto standard to publish public OpenPGP compatible keys. Kristian Fiskerstrand (@krifisk on Twitter) has been running the pool for more than ten years but over the years the distributed network of keyservers has been struggling with abuse, performance, as well as privacy issues, and more recently also GDPR compliance questions.
Is it time to make a change when it comes to the way you publish your public key(s)? If so, is keys.openpgp.org the solution?
The keys.openpgp.org keyserver splits up identity and non-identity information in keys. The gist is that non-identity information (keys, revocations, and so on) is freely distributed, while identity information is only distributed with consent that can also be revoked at any time.
If a new key is verified for some e-mail address, it will replace the previous one. This way, every e-mail address is only associated with a single key at most. It can also be removed from the listing at any time by the owner of the address. This is very useful for key discovery. If a search by e-mail address returns a key, it means this is the single key that is currently valid for the searched e-mail address.
In upcoming releases of Enigmail for Thunderbird as well as OpenKeychain on Android keys.openpgp.org keysever will receive first-party support.
The Ubuntu Security Podcast is a weekly podcast covering all the latest news and developments from the Ubuntu Security team. Each week the team discuss the various security updates that have been published across the Ubuntu releases, describing the technical details of both the security vulnerabilities as well as the fixes involved. Due to the expansive nature of the software packages provided by Ubuntu, each episode usually covers a diverse range of security issues, from buffer overflows, use-after-free’s and cache side-channel attacks; to cross-site scripting and cross-site request forgery.
Since the Tor Project released the first alpha version of Tor Browser for Android in September, they’ve been hard at work making sure they can provide the protections users already enjoying on desktop to the Android platform. Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users with a mobile Tor Browser release. The stable version of Tor Browser for Android is now available for download from Google Play and their website.