Opened 7 years ago

Closed 4 years ago

#8887 closed defect (wontfix)

CERT PGP Based GPG KEY Missing In TorProject.org DNS

Reported by: Bry8Star Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I could not find/obtain any CERT PGP DNS Record in torproject.org's DNS answer, which can be used to verify authenticity of files released, shared and signed by you.

torproject.org website (zone/domain), is already signed with DNSSEC, and, TLSA dns record also exist, which declares to public what exact SSL cert you(TorProject.org) use & have approved.

Now you need to add you GPG KEY which you use to sign your files and share with public, so that, users/public can authenticate files, by obtaining GPG KEY from DNS record, by using their own local Full DNSSEC supported DNS Resolver/Server/Client software.

GPG KEY obtained via DNSSEC AUTHENTCATED data can be trusted at higher level, than obtain it via PGP/GPG KEYSERVER(s), as all DNS data kept in DNS Resource Records (RR), which can be authenticated/verified very very accurately.

To query DNS records via Tor-proxy, such can be done:

Get & install "socat". Create a script file to create/start a "socat" based port-forwarding tunnel, so that a DNS query can be send on port 54 and then routing/forwarding it toward the Tor's Socks5 Proxy port 9150, by using a command like below:

  @start "socat 127.0.0.1:54 127.0.0.1:9150 8.8.8.8" /D"%ProgramFiles%\socat\" socat.exe TCP4-LISTEN:54,fork SOCKS4A:127.0.0.1:8.8.8.8:53,socksport=9150

above command line was copied from "socat-54-to-tor-9150.cmd" file from Windows computer. Binary files of "socat" tool were kept inside C:\Program Files\socat\ folder.

DNS queries can be done ANONYMOUSLY like this:

  dig @127.0.0.1 -c in -t any -p 54 torproject.org. +dnssec +additional +vc

If answer have "AD" (Authenticated Data) flag and "NOERROR" status, then answer is DNSSEC authenticated.

But still possible to modify by someone in the middle.

There are other public DNS-Server(s), which supports encrypted DNS queries, and also respect user's Privacy Rights. Correct SSL certificate(cert)/key has to be obtained first, and then can be used with "socat", for creating encrypted tunnels toward such DNS-Server via Tor-proxy, and then DNS queries can be done and very accurate answer/result can be obtained/received. See more info on "socat" doc/manual, and German & Swiss Privacy Foundation's Public DNS Server, etc.

At-least 1 DNS record like below must exist:

Since Erinn Clark (erinn@torproj...org) signs binary files, a CERT GPG dns record would look like:

  erinn._pka.torproject.org. TXT "v=pka1\;fpr=FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-KEY\;uri=https://www.torproject.org/erinn-clark-torproject.pubkey.txt"

or, it can also look like:

  erinn.torproject.org. CERT PGP 0 0 LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE

"CERT" is aka "TYPE37".

The actual "FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-KEY" code portion would look like:

8738A680B84B3031A630F2DB416F061063FEE659

The actual "LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE" code portion can be obtained by using below two commands by the TorProject.org zone/domain's actual owner/holder:

  gpg --export 63FEE659 > 63FEE659.pub.bin

make-dns-cert -n erinn.torproject.org. -k 63FEE659.pub.bin

I/end-user would prefer to obtain the entire (master-signing or 2nd-level-signing) KEY code from "CERT PGP" record, even if it is as large as 4KB.

It is More Important to deliver correct full/ENTIRE KEY code to USERS, than, sending it via a file/url, to make sure USERS are really getting authentic entire GPG/PGP-KEY code data, and then using it to authenticate files, with lesser chance of failing points, and with lesser complexity.

end-users can do such DNS queries to view GPG related DNS entry:

dig +short erinn._pka.torproject.org. TXT

or, like this:

dig +short erinn.torproject.org. CERT

If ONLY file/URL based TXT option, is mentioned/used, THEN such sensitive FILE MUST NEED TO BE DELIVERED TO USERS OVER TLS/SSL/HTTPS ENCRYPTED secured and correct CONNECTION, between TorProject.org server and users computer, (verified by DANE).

And to be 100% SURE, that both side (TorProejct's-server & user's computer) are accurately using a CORRECT SSL/TLS cert OWNED BY TorProject.org itself, entire TLS/SSL certificate hash/checksum and its fingerprint ALSO need to be placed in DNS as well. See more info on TLSA, CERT dns-records, related documents. Again, it is more important to make sure USERS are really getting authentic files, with lesser chance of failing points, and with lesser complexity, and over correctly secured connection with correct server, so use BOTH PGP/GPG option mentioned above.

Adding both "TXT" based and "CERT PGP" based DNS entry, would be better, since your dns already has TLSA record.

TorProject has now already added their TLSA in DNS RR. :)

dnssec DANE protocol supported / built-into software like : "Extended DNSSEC Validator" firefox addon (www.os3sec.org) , "DNS-Trigger" (an "Unbound" based Full DNSSEC Supported DNS-Server/DNS-Resolver, www.nlnetlabs.nl), etc (along with "DNSSEC Validator" firefox addon www.dnssec-validator.cz) allows to obtain DNSSEC Authenticated accurate data, and then these can obtain or extract correct SSL/TLS cert hash/checksum & fingerprint from TLSA, etc DNSSEC-authenticated data, and then these can show warning message to user, if correct SSL/TLS cert is NOT used for encrypted HTTPS connection, or, if a fake/forged cert or fake server is used. Also use "Cipherfox", "Cert viwer Plus", etc firefox addons to view SSL cert details and chain, and configure those to show more info. You would also need to use either a VM based DNS-Serveer (you may use "VirtualBox", and "Tails"), or, another local computer based DNS-Server, (which are pre-configured to Transparently forward all traffic including DNS through Tor-proxy), and specify such DNS-Server inside the "Extended DNSSEC Validator" firefox addon. Also see "DNS2SOCKS".

To import entire pgp/GPG keycode from DNS , user can do one single command:

  gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt --armor --auto-key-locate cert -r erinn@torproject.org

In windows, GPG software was obtained via "Cygwin", it can also be obtained from "gpg4win". And, to send GPG queries via Tor Socks5 proxy : First "Polipo" (a HTTP Proxy) tool was obtained and configured, to create a HTTP-Proxy-to-Socks5-proxy Tunnel (from HTTP Proxy port 8118 to Socks5 Proxy port 9150). See more info on "Polipo" in TorProject wiki area.

When these codes are added as command-line option, in a gpg command, then gpg query will go through Tor Socks5 proxy, (if polipo based forwarding/tunnel also exist):

  --keyserver-options no-auto-key-retrieve,no-try-dns-srv,http-proxy=http://127.0.0.1:8118 --keyserver hkps://zimmermann.mayfirst.org,hkp://pgp.surfnet.nl,hkp://2eghzlv2wwcq7u7y.onion,hkp://pool.sks-keyservers.net,hkp://subkeys.pgp.net

Or, end users can also do such (preferred & recommended by me) : Base64 encoded CERT PGP dns record, can also be copied/used from a DNSSEC authenticated dns query result/answer, into a text file, and then it can be decoded, or, imported into gpg directly to get full GPG KEY. See gpg "import" command section to import from file.

So, PLEASE ADD "CERT PGP" DNS RECORD IN YOUR DNS.

Thank you,
-- Bright Star (Bry8Star).
bry 8 st ar a.t ya hoo d.o.t c om
GPG_FPR=12B7 7F2C 92BF 25C8 38C6 4D9C 8836 DBA2 576C 10EC.
GPG key-ID is last 8 digit of above code.

References:

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by Sebastian

Component: WebsiteTor Sysadmin Team

This is for the sysadmins to ponder.

comment:2 Changed 5 years ago by weasel

I like the idea in principle.

I dislike how there apparently is not a clearly defined unique namespace for CERT records. i.e. host@example and host.example share the same dns labels. PKA appears to not have this issue, but it's not specified in any standard AIUI.

And of course there's still a lack of code.

comment:3 Changed 4 years ago by weasel

Resolution: wontfix
Severity: Normal
Status: newclosed

I don't think this will happen any time soon.

Note: See TracTickets for help on using tickets.