News

monkeysphere 0.37 has been released.

Notes from the changelog:

  * Bugfix release with minor improvements and dependency accomodations.
  * Test openpgp2ssh functionality (closes MS #6524)
  * use new GnuPG with-colons output
  * accomodate changed behavior of ssh-keygen -F
  * accomodate multiple AuthorizedKeysFile directives
  * deal sanely with empty lines in authorized_user_ids (closes MS #6344)
  * treat non-standard ports properly (closes MS #3402)

Download it now!

Posted Thu Aug 7 17:32:52 2014

Monkeysign 1.1 released!

After an overwhelming response and usability testing from a wide variety of users, I am happy to announce the release of Monkeysign 1.1, which fixes over 7 different issues detected in the 1.0 release and improves SMTP support significantly.

Monkeysign is a user-friendly tool to easily and securely exchange OpenPGP key certifications. See the homepage for more information.

To install monkeysign on Debian unstable, simply run:

sudo apt-get install monkeysign

Testing and stable currently have the 1.0 release and will be updated within 10 days to the new 1.1 release if no critical bugs are found.

For users of other Linux distributions, use:

git clone git://git.monkeysphere.info/monkeysign
cd monkeysign
sudo ./setup.py install --record=install.log

For more information, see the homepage.

Detailed list of changes since monkeysign-1.0:

  • improved SMTP support:
    • SMTP username and passwords can be passed as commandline arguments
    • SMTP password is prompted if not specified
    • use STARTTLS if available
    • enable SMTP debugging only debugging is enabled
  • show the unencrypted email with --no-mail (Closes: #720049)
  • warn when gpg-agent is not running or failing (Closes: #723052)
  • set GPG_TTY if it is missing (Closes: #719908)
  • bail out on already signed keys (Closes: #720055)
  • mention monkeyscan in the package description so it can be found more easily
  • fix python-pkg-resources dependency
  • don't show backtrace on control-c
  • add missing files to .gitignore (Closes: #724007)
  • ship with a neat little slideshow to make presentations
  • fix some typos (Closes: #722964)
  • add --cert-level option (Closes: #722740)

Enjoy!

Posted Mon Sep 30 18:31:23 2013

xul-ext-monkeysphere 0.8 has been released.

Notes from the changelog:

  * Fix for firefox >= 23 (thanks Kristian Fiskerstrand!)

Download it now!

Posted Fri Sep 20 01:31:27 2013

msva-perl 0.9.2 has been released.

Notes from the changelog:

  * tweak POD to declare charset
  * openpgp2x509: a bit more clean up and features (needs more work)
  * handle multiple keyserver entries in gpg.conf gracefully
    (closes MS #6252)
  * also accept DOS-style CR/LF line endings in PEM-encoded X.509 certs
  * msva-query-agent: produce newline-terminated output.

Download it now!

Posted Fri Sep 13 10:55:55 2013

Here it is, finally: Monkeysign 1.0! I have implemented all the features I felt were necessary for a first stable release, so here it is.

Monkeysign is a user-friendly tool to easily and securely exchange OpenPGP key certifications. See the website for more information.

The 1.0 release now properly sends separate email for each signed UIDs, has manpages for the two programs and, more importantly, doesn't copy your secret key around anymore. Translation of the user interface is now possible and we also ship a ton of tweaks and bugfixes.

To install monkeysign, you should be able to do:

sudo apt-get install monkeysign

The backport to wheezy was updated to 0.9 not so long ago and will soon be updated to 1.0 too. For users of other Linux distributions, try:

git clone git://git.monkeysphere.info/monkeysign
cd monkeysign
sudo ./setup.py install --record=install.log

For more information, including how to get a tarball to create packages for other distributions, see the homepage.

Detailed list of changes since monkeysign-0.9:

  • stop copying secrets to the temporary keyring
  • make sure we use the right signing key when specified
  • signatures on multiple UIDs now get properly sent separately (Closes: #719241)
  • this includes "deluid" support on the gpg library
  • significantly refactor email creation
  • improve unit tests on commandline scripts, invalid (revoked) keys and timeout handling
  • provide manpages (Closes: #716674)
  • avoid showing binary garbage on export when debugging
  • properly fail if password confirmation fails
  • user interfaces now translatable
  • accept space-separated key fingerprints
  • fix single UID key signing
  • proper formatting of UIDs with comments (removed) and spaces (wrapped) for emails

Enjoy!

Posted Thu Aug 15 11:04:56 2013

I am happy to announce the 0.9 release of Monkeysign! 0.8 was released last week and I forgot to announce it, so this news item covers this as well.

Monkeysign is a user-friendly tool to easily and securely exchange OpenPGP key certifications. See the website for more information.

Since Monkeysign has been uploaded into Debian, there has been more testing from the Debian community, which lead to the discovery of a few usability issues, which are mostly fixed in 0.9.

Most notably, the msign and msign-cli scripts were renamed to monkeyscan and monkeysign, since numerous people have been puzzled to not find the monkeysign command after installing the package. This also implies that the main command is currently monkeysign, as the graphical interface is less featureful and less complete.

The issues we had with monkeysign-0.7 still remain, so this is not a 1.0 release, but I am really happy to see Monkeysign enter Debian. I have also uploaded a backport to Debian Wheezy and will try to keep it up to date.

So to install monkeysign, on Debian, you should now be able to do:

sudo apt-get install monkeysign

Although this will install an old version (0.7) on stable and testing, given time the 0.9 release will tricle down. For users of other Linux distributions, try:

git clone git://git.monkeysphere.info/monkeysign
cd monkeysign
sudo ./setup.py install --record=install.log

Changes since monkeysign-0.7:

  • refactor unit tests again to optimise UI tests and test mail generation
  • fix error handling in encryption/decryption (Closes: #717622)
  • rename msign-cli to monkeysign and msign to monkeyscan (Closes: #717623)
  • handle interruptions cleanly when choosing user IDs (see: #716675)
  • refactor unit test suite to allow testing the commandline tool interactively
  • don't fail on empty input when choosing uid (Closes: #716675)
  • we also explain how to refuse signing a key better
  • optimise network tests so they timeout (so fail) faster

Enjoy!

Posted Tue Jul 23 11:13:27 2013

monkeysphere 0.36 has been released.

Notes from the changelog:

  * keytrans no longer confuses user IDs across different keys (closes MS
    #2682)
  * fetch all available keys from keyserver instead of first 5 (closes MS
    #1046)
  * enable openpgp2pem for keytrans (Closes: #698383)
  * enable openpgp2spki as well

  [ Jonas Smedegaard ]
  * m-a gpg-cmd now takes its arguments as separate parameters, not as a
    single string.

Download it now!

Posted Thu Jul 11 16:01:27 2013

The second beta release of Monkeysign is now available in the git repository. After almost a year of bugfixing and tests, I am confident enough in monkeysign to use it all the time to sign keys.

Monkeysign is a user-friendly tool to easily and securely exchange OpenPGP key certifications. See the website for more information.

After getting bugs reported (thanks micah and simon!) on 0.6 and even git head, I figured it would be useful to properly test the UI. So I added tests for the commandline interface. They are far from complete, as UI are particularly hard to unit test, but things should be in much better shape now.

Monkeysign is still incomplete: before releasing a 1.0 version, we wish to provide ways for the community to translate the interface and, more importantly, fix an important bug where keys are not sent and encrypted individually when signing multiple key ids.

The code is only available through git right now, but a Debian package should enter the unstable archive soon. Use the following to get the code:

git clone git://git.monkeysphere.info/monkeysign

Complete changelog:

  • fix crash when key not found on keyservers
  • use a proper message in outgoing emails
  • unit tests extended to cover user interface
  • import keys from the local keyring before looking at the keyserver
  • fix print/save exports (thanks Simon!)
  • don't depend on a graphical interface
  • update copyright dates and notices
  • mark as priority: optional instead of extra

Enjoy!

Posted Sat Jul 6 01:05:27 2013

xul-ext-monkeysphere 0.7 has been released.

Notes from the changelog:

  * update validation method for firefox >= 20 (thanks James Bottomley!)

Download it now!

Posted Thu May 23 02:28:22 2013

The first working release of Monkeysign is now available through the git repository. After more than two years of intermittent development, we now have a quite user-friendly tool to easily and securely exchange OpenPGP key certifications. See the website for more information.

The code is still "beta" in that it has been tested only by the author, so extra testing and feedback will be welcome so we can make a 1.0 release.

The code is only available through git right now, we are working on providing a Debian package while the code matures. Use the following to get the code:

git clone git://git.monkeysphere.info/monkeysign
Posted Wed Oct 10 14:13:55 2012

msva-perl 0.9.1 has been released.

Notes from the changelog:

  * Bug Fix Release:
  * Fix error when msva-perl is run without arguments.
  * Correct internal version number.

Download it now!

Posted Sun Sep 9 15:46:18 2012

msva-perl 0.9 has been released.

Notes from the changelog:

  [ Jameson Rollins ]
  * Add "e-mail" context (checks for signing capability instead of
    authentication) (closes MS #2688)
  * Add "openpgp4fpr" pkc type for providing OpenPGP v4 fingerprint
  * Add --version option to msva-query-agent

  [ David Bremner ]
  * Code refactoring:
   - Crypt::Monkeysphere::MSVA::Logger into Crypt::Monkeysphere::Logger
   - new Crypt::Monkeysphere::Validator
   - unit tests and unit test harness

  [ Daniel Kahn Gillmor ]
  * Now depending on Crypt::X509 0.50 for pubkey components directly.
  * Crypt::Monkeysphere::OpenPGP for helper functions in
    packet generation and parsing.
  * Parse and make use of X.509 PGPExtension if present in X.509 public
    key carrier.
  * Fix HUP server restart when used with Net::Server >= 0.99
  * Crypt::Monkeysphere::Keytrans has the start of some key/certificate
    conversion routines.
  * Fix socket detection when used with Net::Server >= 2.00, which
    can bind to multiple sockets
  * depend on Net::Server >= 2.00
  * change launcher approach -- daemon is now child process, so that
    daemon failures won't kill X11 session
  * scanning and prompting for changes is now optional (defaults to off)

Download it now!

Posted Sun Aug 12 10:20:53 2012

Monkeysphere 0.35 for Fedora (f14-f16) is now available, a big thanks to Bernie Innocenti for the work!

If you are running Fedora, now all you need to do to get monkeysphere installed is to do the following:

  # yum install monkeysphere

For other methods, please visit our Download area.

Posted Sat May 21 10:04:43 2011

xul-ext-monkeysphere 0.6 has been released.

Notes from the changelog:

  * bump MaxVersion to 4.0.* (Thanks to tmarble for testing 4.0b10! dkg
    takes responsibility for the 4.0.* testing)
  * add pt-BR localization (Thanks, rhatto!)

Download it now!

Posted Fri Mar 11 19:10:52 2011

msva-perl 0.8 has been released.

Notes from the changelog:

  * Minor bugfix release!
  * Avoid indirect object creation (thanks to intrigeri for pointing this out).
  * Bug fix for unused option provided to gpgkeys_hkpms.
  * Allow use of hkpms keyservers from gpg.conf
  * Allow the use of ports in hostnames (closes MS # 2665)
  * Do not report self-sigs as other certifiers (but report valid,
    non-matching identities independently) (closes MS # 2569)
  * List certifiers only once (closes MS # 2573)
  * Enable the use of --keyserver-options http-proxy for gpgkeys_hkpms
    (includes support for socks proxies) (closes MS # 2677)

Download it now!

Posted Mon Dec 20 13:41:39 2010

msva-perl 0.7 has been released.

Notes from the changelog:

  * udpated msva-query-agent documentation
  * added gpgkeys_hkpms for monkeysphere-authenticated HKPS access
    (closes MS #2016)

Download it now!

Posted Wed Dec 15 20:15:40 2010

xul-ext-monkeysphere 0.5 has been released.

Notes from the changelog:

  * code cleanup
  * add log_level preference.
  * bump MaxVersion from 3.6.* to 4.0b7 for firefox/iceweasel (thanks to
    jaywalk and simonft for testing!)
  * internationalize extension, add fr-FR localization (Thanks, julm!)
  * add nl-NL localization (Thanks, kwadronaut!)

Download it now!

Posted Wed Dec 15 19:49:32 2010

msva-perl 0.6 has been released.

Notes from the changelog:

  * Add new element to JSON syntax allowing request to override
    keyserver_policy (closes MS #2542)
  * Do not kill off child handling processes on HUP -- let them finish
    their queries.
  * Refactor logging code
  * If we have Gtk2, Linux::Inotify2, and AnyEvent, we should monitor for
    updates and prompt the user when we notice one. (closes MS #2540)
  * Added tests/basic, as a simple test of a few functions (closes MS #2537)
  * fixed double-prompting on sites that have more than one User ID
    (closes MS #2567)
  * report server implementation name and version with every query (closes
    MS #2564)
  * support x509pem, opensshpubkey, and rfc4716 PKC formats in addition to
    x509der (addresses MS #2566)
  * add new peer type categorization (closes MS #2568) -- peers of type
    client can have much more flexible names than regular hostnames we
    look for for servers.

Download it now!

Posted Sun Nov 14 16:23:15 2010

monkeysphere 0.35 has been released.

Notes from the changelog:

  * Remove reference to USE_VALIDATION_AGENT.
  * Fix ssh_proxycommand for marginal hosts (closes MS #2593)
  * GnuPG should always behave as --fixed-list-mode (closes MS #2587)

Download it now!

Posted Sun Nov 14 00:21:25 2010

It was recently pointed out that the version 0.5 of the perl implementation of the monkeysphere validation agent depend on more recent versions of GnuPG::Interface than can be found in ubuntu, or in the stable, testing, or unstable debian repositories. The needed version of GnuPG::Interface is currently only available in package form from debian's experimental repository.

msva-perl 0.5 is experimental as well, due to this dependency. So we're now shipping the needed version of GnuPG::Interface in the Monkeysphere APT repository.

Posted Tue Nov 9 09:32:09 2010

Monkeysphere version 0.31 introduced a vulnerability which could allow an arbitrary code execution attack as the 'monkeysphere' system account, if the superuser were to run the command "monkeysphere-authentication keys-for-user". Depending on the configuration of the host, access to this system account can potentially grant access to other accounts.

The problem also existed in version 0.32 but was resolved in version 0.33. Versions prior to 0.31 were not affected.

If you are running one of the versions with this issue, it is highly recommended that you update as soon as possible.

A CVE reference identifier was released for this issue: CVE-2010-4096

For more information, please see the mailing list post about the issue

Posted Fri Oct 29 12:38:51 2010

monkeysphere 0.34 has been released.

Notes from the changelog:

  * fix keys-for-user so that it outputs proper authorized_keys lines
    (close MS #2550)
  * refactor key processing for key files, greatly reducing redundant code
    paths
  * update authorized_keys and known_hosts in temp filess that are
    atomically moved into place
  * don't fail if authorized_keys file not already present (Closes: 600644)
  * document CHECK_KEYSERVER in monkeysphere-authentication man page
    (close MS #2556)

Download it now!

Posted Tue Oct 26 12:33:49 2010

monkeysphere 0.33 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * defaulting MONKEYSPHERE_HASH_KNOWN_HOSTS to false
    (closes MS #2483)

  [ Jameson Rollins ]
  * fix security vulnerability is parsing userids in
    monkeysphere-authentication keys-for-user (Closes: #600304)
  * fix failure after first invalid key in monkeysphere-authentication
    keys-for-user (closes MS #2545)
  * ignore command options in monkeysphere-authentication keys-for-user

Download it now!

Posted Fri Oct 15 18:49:33 2010

msva-perl 0.5 has been released.

Notes from the changelog:

  * If ${MSVA_KEYSERVER} is unset or blank, default to using keyserver
    from ${GNUPGHOME}/gpg.conf if that file exists. (addresses MS #2080)
  * Under Linux, report details about the requesting process if we can
    learn them from /proc (closes MS #2005)
  * Conditionally rely on Gtk2 perl module -- no marginal UI without it,
    but you can also install the MSVA now without needing to pull in a
    bunch of Gtk libs (closes MS #2514)
  * Sending a SIGHUP to the running server now re-execs it cleanly,
    keeping the same port assignments and monitoring the same child
    process.  This can be used to upgrade running msva instances after a
    package update (closes MS #2532)

Download it now!

Posted Thu Oct 14 15:52:22 2010

Chris Palmer's presentation "We Must Fix HTTPS":

Posted Fri Oct 8 11:49:04 2010

There are now ArchLinux packages available for the monkeysphere, and msva-perl, you can find them on AUR:

monkeysphere

msva-perl

If you use ArchLinux, and these packages, please give us some feedback on them!

Posted Fri Oct 8 08:58:59 2010

msva-perl 0.4 has been released.

Notes from the changelog:

  * removed dependency on monkeysphere package -- just invoke GnuPG
    directly (needs GnuPG::Interface, Regexp::Common) (closes MS #2034)
  * adds MSVA_KEYSERVER_POLICY and MSVA_KEYSERVER environment variables.
  * added a marginal UI (needs Gtk2 perl module) (closes MS #2004)
  * Filter incoming uids to match a strict regex (closes MS #2270)
  * Trivially untaint the environment for the single child process
    (closes MS #2461)

Download it now!

Posted Thu Oct 7 02:45:47 2010

Monkeysphere 0.32 has been released.

Notes from the changelog:

  [ Jameson Rollins ]
  * Fix specification of install paths in all scripts and man pages
    (closes MS #2491)
  * Fix need for single argument to gpg_sphere (thanks Clint)
    (closes MS #442)
  * specify LC_ALL=C for all gpg calls
    (closes MS #2496)

  [ Micah Anderson ]
  * fix monkeysphere-host revoke-key, which never worked properly :(
  * add some debug output to monkeysphere-host publish-key
    (closes MS #2289)
  
  [ Clint Adams ]
  * add support for options to the authorized User IDs file.  Options that
    should apply to keys for a given User ID should be on
    whitespace-prefixed lines immediately following that User ID.
    (closes MS #440)

Download it now!

Posted Thu Oct 7 02:45:47 2010

Danny O'Brien writes in Slate an interesting article entitled "The Internet's Secret Back Door: Web users in the United Arab Emirates have more to worry about than having just their BlackBerries cracked." in which it is detailed that MitM attacks can be facilitated by any of a few hundred CA-delegates. It discusses the CA company CyberTrust which is the government-connected mobile company in the UAE.

A spirited discussion follows up on Schneier's blog.

The EFF also calls out Verizon on this issue, asserting thats the Etisalat Certificate Authority threatens web security.

The New York Times also picks up the story.

Behind the scenes, on mozilla.dev.security.policy the issue is discussed.

Now that the certificate cartel issue is becoming more and more known as a problem in the wider public, what will happen? Will outcries over specific CAs result in changes that do nothing to address the structural problem?

Posted Wed Sep 22 08:30:26 2010

dkg (with jrollins's help) gave a great talk on the Monkeysphere at The Next HOPE conference. DVD's of the talk are available for $5. Hopefully we can get a copy of the video that we can make available on the net.

Posted Sun Aug 29 12:45:35 2010

Monkeysphere 0.31 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * support x509 anchors for monkeysphere-host, allow shared anchor
    between m-h and m-a (closes MS #2288)
  * do not bail or fail on m-h publish-key if the admin interactively
    declines to publish one of the keys key (closes MS #1945)
  * report updated expiration date upon successful conclusion of m-h
    set-expire (closes MS #2291)
  * added some files in examples/ to demonstrate system integration
    with OpenSSH

  [ Jameson Rollins ]
  * add keys-for-user subcommand to monkeysphere-authentication

Download it now!

Posted Wed Jul 21 15:10:39 2010

Version 0.3 of the Perl implementation of the Monkeysphere Validation Agent has been released.

Notes from the changelog:

  * packaging re-organization
  * properly closing piped monkeysphere call
  * restore default SIGCHLD handling for exec'ed subprocess (Closes: MS #2414)
Posted Wed Jun 16 02:44:15 2010

Version 0.4 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

From the changelog:

  * auto-generate install.rdf to ensure proper version numbers.
Posted Wed May 5 13:16:10 2010

Version 0.3 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

From the changelog:

  * Fix clearSite status menu function
  * generate icon pngs from svg source (closes #2012)
  * add BROKEN security state handling (closes #2217)
Posted Wed May 5 01:20:15 2010

Version 0.2 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

This is a brown paper bag release, fixing the xpi build process.

Posted Mon Apr 26 11:14:13 2010

Version 0.1 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

Posted Sun Apr 25 23:59:27 2010

Seth Schoen, from the EFF, will be giving a talk at Linux Fest NW entitled, "Fixing SSL security: Supplementing the certificate authority model" on Saturday at 11am.

Posted Wed Apr 21 16:05:29 2010

They aren't trusted-third-parties, they are centralised-vulnerability-parties. An article in Financial Cryptography argues "why the browsers must change their old SSL security model".

Posted Wed Apr 21 13:31:10 2010

Pushing the CA into taking responsibility for the MiTM, an interesting article which poses some interesting questions, such as "what happens when a CA MITM's its own customer?"

Posted Wed Apr 21 13:31:10 2010

Monkeysphere 0.30 has been released.

Notes from the changelog:

  * changing tarball creation and packaging strategies
  * make non-ssh parts of monkeysphere work well when openssh is not
    installed; degrade ssh-specific parts gracefully when openssh is not
    installed.

Download it now!

Posted Sat Apr 17 21:48:53 2010

Sophisticated X.509 certificate interception devices designed to collect encrypted SSL traffic based on forged 'look-alike' certificates: http://www.wired.com/threatlevel/2010/03/packet-forensics/

Posted Sat Apr 17 18:18:07 2010

A Tor developer writes about how he disables all Certificate Authorities on his system and instead selectively trusts those SSL certificates from individual websites: http://blog.torproject.org/blog/life-without-ca

Posted Sat Apr 17 18:18:07 2010

Christopher Soghoian and Sid Stamm's draft research paper entitled "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL" presents evidence that CAs may be cooperating with government agencies to help them spy undetected on "secure" encrypted communications: http://files.cloudprivacy.net/ssl-mitm.pdf

Posted Sat Apr 17 18:18:07 2010

Bruce Schneier summarizes the current Man-in-the-Middle Attacks Against SSL: http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html

Posted Sat Apr 17 18:18:07 2010

Jake Edge writes in Linux Weekly News on The Monkeysphere: http://lwn.net/Articles/373988/

Posted Sat Apr 17 18:18:07 2010

LWN article on the business of SSL man-in-the-middle-attacks, the threat may be more practical than previously thought: http://lwn.net/Articles/380140/

Posted Sat Apr 17 18:18:07 2010

New Research Suggests That Governments May Fake SSL Certificates:https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

Posted Sat Apr 17 18:18:07 2010

Using a MITM attack to improve security: http://milliways.chance.ru/~ark/benevolent-ssl-mitm.pdf

Posted Sat Apr 17 18:18:07 2010

Version 0.2 of the Perl implementation of the Monkeysphere Validation Agent has been released.

Notes from the changelog:

  * can now be invoked with a sub-command; will run until subcommand
    completes, and then terminate with the same return code (this is
    similar to the ssh-agent technique, and enables inclusion in
    Xsession.d; see monkeysphere 0.29 package for automatic startup).
  * chooses arbitrary open port by default (can still be specified with
    MSVA_PORT environment variable)
  * minimized logging spew by default.
  * now shipping README.schema (notes about possible future MSVA
    implementations)
  * cleanup Makefile and distribution strategies.
Posted Mon Mar 15 15:31:27 2010