Don't Use Bit.ly To Advertise Your PGP Key


I had dinner with the outgoing editor of The Guardian the other night. Clever chap, sure he'll go far in life.

The Guardian is very hot on security. Many of their writers have PGP keys which they publicly advertise. In theory, that's great (complaints about PGP notwithstanding) - but the reality shows just how tricky it is to act in a security conscious manner.

Have a look at Alan's Twitter profile.

arusbridger Twitter Profile-fs8

In the bio, we see a link - http://bit.ly/1g4S9WR which points to http://static.guim.co.uk/ni/1393869928289/Public-Key.asc.

Let's take a look at a few reasons why this is sub-optimal.

Control

Who controls bit.ly? Not Alan. Not the Guardian. How easy would it be for a rogue employee to subtly redirect that URL elsewhere?

Gone are the days of Libya exercising its control on the .ly space (you did know that's what .ly stood for, right?) But that doesn't mean you should trust a third party with directing people to sensitive information!

Bit.ly isn't accessible over HTTPS. A sufficiently determined attacker can see who is accessing the page - and possibly redirect the URL to a different site.

Information Leakage

Most bit.ly links allow you to append a "+" to the URL to see a page of statistics. I've written about this several times.

Off we go to http://bit.ly/1g4S9WR+
arusbridger bitly stats-fs8

We can see when a cluster of people have visited the URL and what country they're in. Is this leaking the identity of a journalistic source? Not directly - but it could help narrow down the target.

Homographic Disambiguation

Bit.ly allows you to create your own custom URLs. Useful for pulling pranks - and extremely useful for redirecting people.

So, if someone hacked the Twitter account and replaced http://bit.ly/1g4S9WR with http://bit.ly/Ig4S9WR - how long would it be before someone noticed? The latter example uses an upper-case i rather than the numeral 1 - and points to my PGP key.

Final Destination

But, let's assume that no-one has monkeyed with the shortlink. We end up at http://static.guim.co.uk/ni/1393869928289/Public-Key.asc.

What is "guim.co.uk"? I guess it's a server used by the GUardian to serve IMages - but it doesn't quite carry the same trust as seeing the public key on TheGuardian.com

guim also suffers from security issues. It's not served over HTTPS - which means that it's possible to see who is accessing the page and, crucially, a man-in-the-middle could alter its contents.

Putting it all together

By exploiting one or all of these weaknesses, a malicious attacker could create quite a convincing forgery.

If a random Bit.ly link took you to GUlM.CO.UK (a lower case L) and served you a PGP key for [email protected] (not the real address) - would you be convinced that it was a legitimate key for the correct user?

Fixing It

This is a pretty simple fix.

  • Use a direct link...
  • ...to a trustworth site...
  • ...served over HTTPS...
  • ...
  • That's it!

Security is, sadly, too hard for most people. I wrote about how freedom fighters in South Africa were unable to maintain security due to human weaknesses - nothing much has changed in the intervening years.

I've shared these tips directly with The Guardian's security people, and they are in the process of changing to a more robust system.

I've been reading "Think Like A Freak" by the authors of Freakonomics. In it, the authors ask us to start thinking more like maverick economists. It's a fine way to increase your cognative ability and get a fresh perspective on the world.

I'd like to ask you to think like a hacker. Find every weakness in the chain and work to eliminate it.

2 thoughts on “Don't Use Bit.ly To Advertise Your PGP Key

  1. Think this would be less of an issue if they provided their fingerprint on their profile. People should never trust downloading a gpg key without verifying their fingerprint

  2. This is just as broken as the original. Links on twitter are redirected through t.co, which twitter controls. That's not more trustworthy than bit.ly. The website of the guardian could be hacked into. A man in the middle could happen with SSH as well, because governments can serve you a fake DNS record for the guardian's website, and impersonate the website by using a forged certificate (the NSA is a CA, and other CAs can be compromised, too). Encrypted emails can be monitored for metadata (sender/recipient/subject/time) while they transit in untrusted networks. Connections to HTTPS servers can also be monitored for metadata. The whole PGP web of true concept exists for just that reason; Alan Rusbridger could simply get his key signed by sufficiently many people ; or he could post his key id in plenty of places ; for example, in a printed issue of the guardian, in a video, on the front of the Guardian's building, etc.

What do you reckon?

%d bloggers like this: