Address "trollwot" issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hockeypuck |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
See PoC and presentation here: https:/
There are several attacks/annoyances to mitigate here:
1. Key signature spam
2. Fake WoT mirrors
3. Short ID collision attacks
#1 can be somewhat addressed by assigning more weight to mutual key signatures, potentially tuning out or lowering the search ranking of weak associations. This could be done with some offline graph analysis and a blacklist.
#2 seems to rely on faking the timestamps in signatures. How likely is it that a key or signature from years ago should suddenly appear on the keyserver pool? Not very. There should be a threshold to reject old keys and signatures.
#3 can be mitigated by a server option to require a long ID or full fingerprint (400 error on short ID searches).
Other ideas?