@otini I don't really like the point where:
1) the "bug" (which is more a design choice than a bug) was discovered 10 years before
2) The bug is not on the server (which is implemented in OCaml) but at the reception of poisoned certificates by the client - and, in this case, by GnuPG (implemented in C)
In fact, the point is the client is not able to handle such poisoned keys (https://news.ycombinator.com/item?id=20318565).
The FUD about the server or the language is a bullshit where the problem is somewhere else.
@dinosaure Wow then the whole post about the server is completely irrelevant…
@otini @dinosaure well, a "fix" is to have servers which only accept fewer certificates (and/or validate them being good -- but then an attacker can properly sign any public key, and this will pass the check). but then your client still has to deal with misbehaving servers --> the fix is not easy, and IMHO key servers are bad (since they expose timestamps and the social network) anyways. so why not just switch them off and try another way of exchanging public keys!?
@otini @dinosaure see also yminsky reply (copied to) https://www.reddit.com/r/ocaml/comments/c7fs0p/sks_keyserver_network_under_attack_github/esq3shb/
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!