OpenPGP Keys Under Attack

It was bound to happen one day (though, admittedly, this is a “hindsight is 20/20” statement): the OpenPGP Standard Key Server implementation has fallen victim to attack. When the Pretty Good Privacy (PGP) Keyserver system allows anyone to affix changes (“attestations”) to a given key – and these never, ever get deleted. As a result, malicious actors can “spam” a public key sitting on a key server, adding th8ese attestations over and over again until the key itself becomes too unwieldy to use by some software. Yikes! This is a clear security issue leading to a “denial of service” attack, rendering that public key unusable for encrypting information. Read here for a well written account that details of the situation.

How does this affect Diplomat MFT? It is has no negative impact at all. I have never experienced any customer that uses a KeyServer for OpenPGP key distribution. When creating a transaction to move files between a Diplomat MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. Thus, since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine. If you do encounter any problems with OpenPGP keys, feel free to reach out to us at support@coviantsoftware.com for assistance.

Let’s all use this situation as a reminder to be very untrusting when dealing with the security of sensitive data, and not provide an infrastructure that allows anonymous, unregulated edits to information that is vital to secure communications!

Download :

  • To find out what personal data we collect and how we use it, please visit our Privacy Policy.