keys.gnupg.net website pool broken

Posted: 2018-04-24 09:30:10 by Alasdair Keyes

Direct Link | RSS feed

Until recently, the GnuPG section of my site which lists my GPG fingerprint had a link to keys.gnupg.net for visitors to make some verification of my key.

I accidentally clicked this link a few days ago and noticed that I was redirected to https://analytics.sumptuouscapital.com/ instead of the expected https://keys.gnupg.net website. I checked with Mike and he was seeing the correct site.

This looked interesting, it could be some misconfiguration or potentially something more nefarious like a DNS poisoning.

I dug into it a little and it looks like gnupgp.net operates a round-robin DNS setup for it's web server cluster with 9 hosts.

$ host -t A keys.gnupg.net
keys.gnupg.net is an alias for hkps.pool.sks-keyservers.net.
hkps.pool.sks-keyservers.net has address 193.224.163.43
hkps.pool.sks-keyservers.net has address 193.164.133.100
hkps.pool.sks-keyservers.net has address 176.9.147.41
hkps.pool.sks-keyservers.net has address 192.94.109.73
hkps.pool.sks-keyservers.net has address 51.15.53.138
hkps.pool.sks-keyservers.net has address 216.66.15.2
hkps.pool.sks-keyservers.net has address 68.187.0.77
hkps.pool.sks-keyservers.net has address 92.43.111.21
hkps.pool.sks-keyservers.net has address 37.191.226.104

I wrote a small script to query each individual IP for the keys.gnupg.net website, the result was

  1. 37.191.226.104: Redirects to https://analytics.sumptuouscapital.com/
  2. 192.94.109.73: No response
  3. 193.164.133.100: Redirects to https://keys.gnupg.net
  4. 18.9.60.141: No response
  5. 68.187.0.77: No response
  6. 216.66.15.2: No response
  7. 176.9.147.41: No response
  8. ** 51.15.53.138**: No response
  9. 193.224.163.43: No response

On the plus side, it doesn't look to be anything nefarious, just lack of maintenance and competence. It looks as though the GnuPG keys webs server setup is really broken, I have no idea how long this has been broken in this way, but it doesn't scream 'secure'.

As such, I've removed the link from my site and I now just use pgp.mit.edu and I suggest you stop using it too.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

© Alasdair Keyes

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)

Digital Ocean Affiliate


Version:master-1f4617d140


Validate HTML 5