Stop it with short PGP key IDs!
What happened today? We still don’t really know, but it seems we found a first potentially malicious collision — that is, the first “nonacademic” case. Enrico found two keys sharing the 9F6C6333 short ID, apparently belonging to the same person (as would be the case of Asheesh, mentioned above). After contacting Gustavo, though, he does not know about the second — That is, it can be clearly regarded as an impersonation attempt. Besides, what gave away this attempt are the signatures it has: Both keys are signed by what appears to be the same three keys: B29B232A, F2C850CA and 789038F2. Those three keys are not (yet?) uploaded to the keyservers, though… But we can expect them to appear at any point in the future. We don’t know who is behind this, or what his purpose is. We just know this looks very evil. Now, don’t panic: Gustavo’s key is safe. Same for his certifiers, Marga, Agustín and Maxy. It’s just a 32-bit collision. So, in principle, the only parties that could be cheated to trust the attacker are humans, right? Nope. Enrico tested on the PGP pathfinder & key statistics service, a keyserver that finds trust paths between any two arbitrary keys in the strong set. Surprise: The pathfinder works on the short key IDs, even when supplied full fingerprints. So, it turns out I have three faked trust paths into our impostor.
UK at serious risk of over-blocking content online, human rights watchdog warns | Ars Technica UK
The IWF in the spotlight…
The blacklist operated by the IWF effectively amounts to censorship. Not only are the blacklist and notices sent to members of the IWF kept secret, but there is no requirement to notify website owners when their site has been added to the blacklist. Even where statutory rules do exist with respect to notice and take-down procedures (namely, the Terrorism Act 2006 and the Defamation (Operators of Websites) Regulations 2013), the provisions are not so concerned with safeguards for the protection of freedom of expression, as with offering an exemption from liability for ISPs.