Hacker News new | past | comments | ask | show | jobs | submit login

I should have said "any disclosure": EFail was coordinated (6 months notice [1]) and yet GnuPG officially downplayed the risk [2], launched #effail counter-campaign and blamed researchers for bad disclosure [3].

With regards to any of the existing SKS exploits specifically: even if any of them were to undergo coordinated disclosure, it wouldn't have helped: trollwot has been available for 5 years, both keyserver-fs and sks-exploit -- for more than a year. Embargoes don't last that long. All three tools still work.

What GnuPG Project effectively tries to do is to stop people from writing about any security problems period, especially those that are hard to fix.

[1]: https://gist.github.com/tqbf/2ef6bce7d16e9d3e76d790fd99c9618...

[2]: https://twitter.com/gnupg/status/995936684213723136

[3]: https://twitter.com/gnupg/status/996856990818283521

OK, makes sense. And damn, 10 years is >>> a year.

So then, as a mere user, I gotta ask how so much of the Linux ecosystem -- and indeed, so much of the open-source ecosystem -- came to depend on such a fragile thing as the SKS keyserver network. That's kinda mind-blowing.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact