Open PGP keys under attack: Does this affect your MFT solution?
PGP is the industry standard for securing communications and a common feature of MFT. But it’s recently been at the centre of hacking fears. This guest blog post from Coviant Software CEO Greg Hoffer will alleviate any concerns relating to your Managed File Transfer (MFT) solution.
It was bound to happen one day: the OpenPGP Standard Key Server implementation has fallen victim to attack. When the Pretty Good Privacy (PGP) Keyserver system allows anyone to affix changes (“attestations”) to a given key –these never, ever get deleted. As a result, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software. This is a clear security issue leading to a “denial of service” attack, rendering that public key unusable for encrypting information.
So how does this affect your MFT solution? It is has no negative impact at all. I have never experienced any customer that uses a KeyServer for OpenPGP key distribution. When creating a transaction to move files between a MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. Thus, since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.
Let’s all use this situation as a reminder to be very untrusting when dealing with the security of sensitive data, and not provide an infrastructure that allows anonymous, unregulated edits to information that is vital to secure communications.
Your MFT solution is a critical part of your infrastructure, with many business processes depending on it. Without regular maintenance and training, you are risking security and efficiency, and ultimately not getting the best value from your solution.
Our health check service reviews the performance of your software, checking your configuration, version, clean-up rules and more. Our technical consultants will produce and present a report advising on risks we have identified and remedial actions.
Call 0333 123 1240 or contact us online to book a health check today.