News

Fedora port now available!

2011-05-21T14:04:43Z

Monkeysphere 0.35 for Fedora (f14-f16) is now available, a big thanks to Bernie Innocenti for the work!

If you are running Fedora, now all you need to do to get monkeysphere installed is to do the following:

  # yum install monkeysphere

For other methods, please visit our Download area.

xul-ext-monkeysphere 0.6 released!

2011-03-12T00:10:52Z

xul-ext-monkeysphere 0.6 has been released.

Notes from the changelog:

  * bump MaxVersion to 4.0.* (Thanks to tmarble for testing 4.0b10! dkg
    takes responsibility for the 4.0.* testing)
  * add pt-BR localization (Thanks, rhatto!)

Download it now!

msva-perl 0.8 released!

2010-12-20T18:41:39Z

msva-perl 0.8 has been released.

Notes from the changelog:

  * Minor bugfix release!
  * Avoid indirect object creation (thanks to intrigeri for pointing this out).
  * Bug fix for unused option provided to gpgkeys_hkpms.
  * Allow use of hkpms keyservers from gpg.conf
  * Allow the use of ports in hostnames (closes MS # 2665)
  * Do not report self-sigs as other certifiers (but report valid,
    non-matching identities independently) (closes MS # 2569)
  * List certifiers only once (closes MS # 2573)
  * Enable the use of --keyserver-options http-proxy for gpgkeys_hkpms
    (includes support for socks proxies) (closes MS # 2677)

Download it now!

msva-perl 0.7 released!

2010-12-16T01:15:40Z

msva-perl 0.7 has been released.

Notes from the changelog:

  * udpated msva-query-agent documentation
  * added gpgkeys_hkpms for monkeysphere-authenticated HKPS access
    (closes MS #2016)

Download it now!

xul-ext-monkeysphere 0.5 released!

2010-12-16T00:49:32Z

xul-ext-monkeysphere 0.5 has been released.

Notes from the changelog:

  * code cleanup
  * add log_level preference.
  * bump MaxVersion from 3.6.* to 4.0b7 for firefox/iceweasel (thanks to
    jaywalk and simonft for testing!)
  * internationalize extension, add fr-FR localization (Thanks, julm!)
  * add nl-NL localization (Thanks, kwadronaut!)

Download it now!

msva-perl 0.6 released!

2010-11-14T21:23:15Z

msva-perl 0.6 has been released.

Notes from the changelog:

  * Add new element to JSON syntax allowing request to override
    keyserver_policy (closes MS #2542)
  * Do not kill off child handling processes on HUP -- let them finish
    their queries.
  * Refactor logging code
  * If we have Gtk2, Linux::Inotify2, and AnyEvent, we should monitor for
    updates and prompt the user when we notice one. (closes MS #2540)
  * Added tests/basic, as a simple test of a few functions (closes MS #2537)
  * fixed double-prompting on sites that have more than one User ID
    (closes MS #2567)
  * report server implementation name and version with every query (closes
    MS #2564)
  * support x509pem, opensshpubkey, and rfc4716 PKC formats in addition to
    x509der (addresses MS #2566)
  * add new peer type categorization (closes MS #2568) -- peers of type
    client can have much more flexible names than regular hostnames we
    look for for servers.

Download it now!

monkeysphere 0.35 released!

2010-11-14T05:21:25Z

monkeysphere 0.35 has been released.

Notes from the changelog:

  * Remove reference to USE_VALIDATION_AGENT.
  * Fix ssh_proxycommand for marginal hosts (closes MS #2593)
  * GnuPG should always behave as --fixed-list-mode (closes MS #2587)

Download it now!

Monkeysphere project publishes experimental GnuPG::Interface version in APT repository

2010-11-09T14:35:32Z

It was recently pointed out that the version 0.5 of the perl implementation of the monkeysphere validation agent depend on more recent versions of GnuPG::Interface than can be found in ubuntu, or in the stable, testing, or unstable debian repositories. The needed version of GnuPG::Interface is currently only available in package form from debian's experimental repository.

msva-perl 0.5 is experimental as well, due to this dependency. So we're now shipping the needed version of GnuPG::Interface in the Monkeysphere APT repository.

Monkeysphere security issue: CVE-2010-4096

2010-10-29T16:38:51Z

Monkeysphere version 0.31 introduced a vulnerability which could allow an arbitrary code execution attack as the 'monkeysphere' system account, if the superuser were to run the command "monkeysphere-authentication keys-for-user". Depending on the configuration of the host, access to this system account can potentially grant access to other accounts.

The problem also existed in version 0.32 but was resolved in version 0.33. Versions prior to 0.31 were not affected.

If you are running one of the versions with this issue, it is highly recommended that you update as soon as possible.

A CVE reference identifier was released for this issue: CVE-2010-4096

For more information, please see the mailing list post about the issue

monkeysphere 0.34 released!

2010-10-26T16:33:49Z

monkeysphere 0.34 has been released.

Notes from the changelog:

  * fix keys-for-user so that it outputs proper authorized_keys lines
    (close MS #2550)
  * refactor key processing for key files, greatly reducing redundant code
    paths
  * update authorized_keys and known_hosts in temp filess that are
    atomically moved into place
  * don't fail if authorized_keys file not already present (Closes: 600644)
  * document CHECK_KEYSERVER in monkeysphere-authentication man page
    (close MS #2556)

Download it now!

monkeysphere 0.33 released!

2010-10-15T22:49:33Z

monkeysphere 0.33 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * defaulting MONKEYSPHERE_HASH_KNOWN_HOSTS to false
    (closes MS #2483)

  [ Jameson Rollins ]
  * fix security vulnerability is parsing userids in
    monkeysphere-authentication keys-for-user (Closes: #600304)
  * fix failure after first invalid key in monkeysphere-authentication
    keys-for-user (closes MS #2545)
  * ignore command options in monkeysphere-authentication keys-for-user

Download it now!

msva-perl 0.5 released!

2010-10-14T19:52:22Z

msva-perl 0.5 has been released.

Notes from the changelog:

  * If ${MSVA_KEYSERVER} is unset or blank, default to using keyserver
    from ${GNUPGHOME}/gpg.conf if that file exists. (addresses MS #2080)
  * Under Linux, report details about the requesting process if we can
    learn them from /proc (closes MS #2005)
  * Conditionally rely on Gtk2 perl module -- no marginal UI without it,
    but you can also install the MSVA now without needing to pull in a
    bunch of Gtk libs (closes MS #2514)
  * Sending a SIGHUP to the running server now re-execs it cleanly,
    keeping the same port assignments and monitoring the same child
    process.  This can be used to upgrade running msva instances after a
    package update (closes MS #2532)

Download it now!

We-Must-Fix-HTTPS

2010-10-08T15:54:48Z

Chris Palmer's presentation "We Must Fix HTTPS":

ArchLinux Packages Available

2010-10-08T13:03:04Z

There are now ArchLinux packages available for the monkeysphere, and msva-perl, you can find them on AUR:

monkeysphere

msva-perl

If you use ArchLinux, and these packages, please give us some feedback on them!

msva-perl 0.4 released!

2010-10-07T06:45:47Z

msva-perl 0.4 has been released.

Notes from the changelog:

  * removed dependency on monkeysphere package -- just invoke GnuPG
    directly (needs GnuPG::Interface, Regexp::Common) (closes MS #2034)
  * adds MSVA_KEYSERVER_POLICY and MSVA_KEYSERVER environment variables.
  * added a marginal UI (needs Gtk2 perl module) (closes MS #2004)
  * Filter incoming uids to match a strict regex (closes MS #2270)
  * Trivially untaint the environment for the single child process
    (closes MS #2461)

Download it now!

Monkeysphere 0.32 released!

2010-10-07T06:45:47Z

Monkeysphere 0.32 has been released.

Notes from the changelog:

  [ Jameson Rollins ]
  * Fix specification of install paths in all scripts and man pages
    (closes MS #2491)
  * Fix need for single argument to gpg_sphere (thanks Clint)
    (closes MS #442)
  * specify LC_ALL=C for all gpg calls
    (closes MS #2496)

  [ Micah Anderson ]
  * fix monkeysphere-host revoke-key, which never worked properly :(
  * add some debug output to monkeysphere-host publish-key
    (closes MS #2289)

  [ Clint Adams ]
  * add support for options to the authorized User IDs file.  Options that
    should apply to keys for a given User ID should be on
    whitespace-prefixed lines immediately following that User ID.
    (closes MS #440)

Download it now!

internet secret backdoor

2010-09-22T12:30:26Z

Danny O'Brien writes in Slate an interesting article entitled "The Internet's Secret Back Door: Web users in the United Arab Emirates have more to worry about than having just their BlackBerries cracked." in which it is detailed that MitM attacks can be facilitated by any of a few hundred CA-delegates. It discusses the CA company CyberTrust which is the government-connected mobile company in the UAE.

A spirited discussion follows up on Schneier's blog.

The EFF also calls out Verizon on this issue, asserting thats the Etisalat Certificate Authority threatens web security.

The New York Times also picks up the story.

Behind the scenes, on mozilla.dev.security.policy the issue is discussed.

Now that the certificate cartel issue is becoming more and more known as a problem in the wider public, what will happen? Will outcries over specific CAs result in changes that do nothing to address the structural problem?

Next HOPE talk video available

2010-08-29T16:45:35Z

dkg (with jrollins's help) gave a great talk on the Monkeysphere at The Next HOPE conference. DVD's of the talk are available for $5. Hopefully we can get a copy of the video that we can make available on the net.

DebConf10 talk video available

2010-08-29T16:38:21Z

Videos for the Monkeysphere talk at DebConf10 are now available!

Monkeysphere 0.31 released!

2010-07-21T19:10:39Z

Monkeysphere 0.31 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * support x509 anchors for monkeysphere-host, allow shared anchor
    between m-h and m-a (closes MS #2288)
  * do not bail or fail on m-h publish-key if the admin interactively
    declines to publish one of the keys key (closes MS #1945)
  * report updated expiration date upon successful conclusion of m-h
    set-expire (closes MS #2291)
  * added some files in examples/ to demonstrate system integration
    with OpenSSH

  [ Jameson Rollins ]
  * add keys-for-user subcommand to monkeysphere-authentication

Download it now!

Monkeysphere Validation Agent (Perl) 0.3 released!

2010-06-16T06:44:15Z

Version 0.3 of the Perl implementation of the Monkeysphere Validation Agent has been released.

Notes from the changelog:

  * packaging re-organization
  * properly closing piped monkeysphere call
  * restore default SIGCHLD handling for exec'ed subprocess (Closes: MS #2414)

Monkeysphere Xul Extension (Firefox Browser Plugin) 0.4 released!

2010-05-05T17:16:10Z

Version 0.4 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

From the changelog:

  * auto-generate install.rdf to ensure proper version numbers.

Monkeysphere Xul Extension (Firefox Browser Plugin) 0.3 released!

2010-05-05T05:20:15Z

Version 0.3 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

From the changelog:

  * Fix clearSite status menu function
  * generate icon pngs from svg source (closes #2012)
  * add BROKEN security state handling (closes #2217)

Monkeysphere Xul Extension (Firefox Browser Plugin) 0.2 released!

2010-04-26T15:14:13Z

Version 0.2 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

This is a brown paper bag release, fixing the xpi build process.

Monkeysphere Xul Extension (Firefox Browser Plugin) 0.1 released!

2010-04-26T15:14:13Z

Version 0.1 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.

When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.

Fixing SSL security talk

2010-04-21T20:05:29Z

Seth Schoen, from the EFF, will be giving a talk at Linux Fest NW entitled, "Fixing SSL security: Supplementing the certificate authority model" on Saturday at 11am.

Centralized Vulnerability Parties

2010-04-21T17:31:10Z

They aren't trusted-third-parties, they are centralised-vulnerability-parties. An article in Financial Cryptography argues "why the browsers must change their old SSL security model".

Pushing the CA to Take Responsibility for the MiTM

2010-04-21T17:31:10Z

Pushing the CA into taking responsibility for the MiTM, an interesting article which poses some interesting questions, such as "what happens when a CA MITM's its own customer?"

Monkeysphere 0.30 released!

2010-04-18T01:48:53Z

Monkeysphere 0.30 has been released.

Notes from the changelog:

  * changing tarball creation and packaging strategies
  * make non-ssh parts of monkeysphere work well when openssh is not
    installed; degrade ssh-specific parts gracefully when openssh is not
    installed.

Download it now!

Wired Magazine on Packet Forensics

2010-04-17T22:18:07Z

Sophisticated X.509 certificate interception devices designed to collect encrypted SSL traffic based on forged 'look-alike' certificates: http://www.wired.com/threatlevel/2010/03/packet-forensics/

Life Without a CA

2010-04-17T22:18:07Z

A Tor developer writes about how he disables all Certificate Authorities on his system and instead selectively trusts those SSL certificates from individual websites: http://blog.torproject.org/blog/life-without-ca

CA Cooperation with Governments

2010-04-21T17:31:10Z

Christopher Soghoian and Sid Stamm's draft research paper entitled "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL" presents evidence that CAs may be cooperating with government agencies to help them spy undetected on "secure" encrypted communications: http://files.cloudprivacy.net/ssl-mitm.pdf

Schneier on Man-in-the-Middle Attacks

2010-04-17T22:18:07Z

Bruce Schneier summarizes the current Man-in-the-Middle Attacks Against SSL: http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html

LWN Security Article (Discusses Monkeysphere)

2010-04-17T22:18:07Z

Jake Edge writes in Linux Weekly News on The Monkeysphere: http://lwn.net/Articles/373988/

The Business of SSL MITM Attacks

2010-04-17T22:18:07Z

LWN article on the business of SSL man-in-the-middle-attacks, the threat may be more practical than previously thought: http://lwn.net/Articles/380140/

EFF: Governments may fake SSL certs

2010-04-17T22:18:07Z

New Research Suggests That Governments May Fake SSL Certificates:https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

Benevolent Man in the Middle Attacks

2010-04-17T22:18:07Z

Using a MITM attack to improve security: http://milliways.chance.ru/~ark/benevolent-ssl-mitm.pdf

Monkeysphere Validation Agent (Perl) 0.2 released!

2010-03-21T21:47:50Z

Version 0.2 of the Perl implementation of the Monkeysphere Validation Agent has been released.

Notes from the changelog:

  * can now be invoked with a sub-command; will run until subcommand
    completes, and then terminate with the same return code (this is
    similar to the ssh-agent technique, and enables inclusion in
    Xsession.d; see monkeysphere 0.29 package for automatic startup).
  * chooses arbitrary open port by default (can still be specified with
    MSVA_PORT environment variable)
  * minimized logging spew by default.
  * now shipping README.schema (notes about possible future MSVA
    implementations)
  * cleanup Makefile and distribution strategies.

Monkeysphere 0.29 released!

2010-03-21T21:47:50Z

Monkeysphere 0.29 has been released.

Notes from the changelog:

  * This is mainly a bugfix release
  * Fix man page typo about monkeysphere authorized_keys location
  * Monkeysphere should work properly even if the user has "armor" in
    their gpg.conf (closes MS #1625)
  * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
    environment variable (and defaults to true)
  * introduce monkeysphere sshfprs-for-userid (deprecates sshfpr), closes
    MS #1436
  * respect CHECK_KEYSERVER in more places (closes MS #1997)
  * warn on keyserver failures for monkeysphere-authentication (closes MS
    #1750)
  * avoid checking trustdb for monkeysphere-host (closes MS #1957)
  * allow monkeysphere-authentication to use hkps with trusted X.509 root
    certificate authorities in
    /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt

Download it now!

Monkeysphere 0.28 released!

2010-03-21T21:47:50Z

Monkeysphere 0.28 has been released.

Notes from the changelog:

  * Major rework of monkeysphere-host to handle multiple host keys.  We
    also no longer assume ssh service keys.  monkeysphere-host is now a
    general-purpose host service OpenPGP key management UI.
  * Rename keys-from-userid command to more accurate keys-for-userid
  * separate upstream and debian changelogs

Download it now!

Monkeysphere 0.27-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.27-1 has been released.

Notes from the changelog:

  * New upstream release:
    - fixed monkeysphere gen-subkey subcommand that was erroneously
      creating DSA subkeys due to unannounced change in gpg edit-key UI.
      Now tests for gpg version (closes MS #1536)
    - add new monkeysphere keys-from-userid subcommand to output all
      acceptable keys for a given user ID literal
  * updated debian/copyright to match the latest revision of DEP5.
  * updated standards version to 3.8.3 (no changes needed)
  * add cpio to Build-Depends (used in test suite) (Closes: #562444)

Download it now!

Monkeysphere 0.26-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.26-1 has been released.

Notes from the changelog:

  * New upstream release:
    - add 'refresh-keys' subcommand to monkeysphere-authentication
    - improve marginal UI (closes MS #1141)
    - add MONKEYSPHERE_STRICT_MODES configuration to avoid
      permission-checking (closes MS #649)
    - test scripts use STRICT_MODES to avoid failure when built under /tmp
      (Closes: #527765)
    - do permissions checks with a perl script instead of non-portable
      readlink GNUisms
    - bail on permissions check if we hit the home directory (helpful on
      Mac OS and other systems with loose /home or /Users (closes MS #675)

Download it now!

Monkeysphere 0.25-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.25-1 has been released.

Notes from the changelog:

  * New upstream release:
    - update/fix the marginal ui output
    - use msmktempdir everywhere (avoid unwrapped calls to mktemp for
      portability)
    - clean out some redundant "cat"s
    - fix monkeysphere update-known_hosts for sshd running on non-standard
      ports
    - add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
    - pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
       (changes dependency to libdigest-sha-perl)
    - some portability improvements
    - properly handle translation of keys with fingerprints with leading
      all-zero bytes.
    - resolve symlinks when checking paths (thanks Silvio Rhatto)
      (closes MS #917)
    - explicitly set and use MONKEYSPHERE_GROUP from system "groups"
      (closes: #534008)
    - monkeysphere-host now uses keytrans to add and revoke hostname
      (closes MS #422)
  * update Standard-Version to 3.8.2 (no changes needed)

Download it now!

Monkeysphere 0.24 accepted as a Debian Backport

2010-03-21T21:47:50Z

[Monkeysphere 0.24 is now available at Backports.org. If you are running Debian stable ("Lenny"), you can install this version of the monkeysphere package by following the instructions for installing backports.

See the download page for more information.

Monkeysphere 0.24 accepted in Debian testing

2010-03-21T21:47:50Z

Monkeysphere 0.24 is now available in the Debian testing distribution ("squeeze"). Monkeysphere 0.24 is our strongest release yet. If you are running Debian testing, installing the monkeysphere is now very easy:

   aptitude install monkeysphere

See the download page for more information.

FreeBSD 0.24 port accepted

2010-03-21T21:47:50Z

FreeBSD's ports tree now contains a port of the Monkeysphere, version 0.24. If you run FreeBSD, update your ports tree, and then:

cd /usr/ports/security/monkeysphere
make package

Monkeysphere 0.24-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.24-1 has been released.

Notes from the changelog:

  * New upstream release:
    - fixed how version information is stored/retrieved
    - now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
    - no longer needs base64 in PATH
    - added "test" make target
    - improved transitions/0.23 script so it no longer fails in common
      circumstances (Closes: #517779)
    - RSA only: no longer handles DSA keys
    - added ability to specify subkeys to add to ssh agent with
      new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
  * update/cleanup maintainer scripts
  * remove GnuTLS dependency
  * remove versioned coreutils | base64 dependency
  * added Build-Deps for dh_autotest
  * switch to Architecture: all
  * added cron to Recommends

Download it now!

Monkeysphere 0.23.1-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.23.1-1 has been released.

Notes from the changelog:

  * New Upstrem "Brown Paper Bag" Release:
   - adjusts internal version numbers

Download it now!

Monkeysphere 0.23-1 released!

2010-03-21T21:47:50Z

Monkeysphere 0.23-1 has been released.

Notes from the changelog:

  "The Golden Bezoar Release"

  * New upstream release.
  * rearchitect UI:
    - replace monkeysphere-server with monkeysphere-{authentication,host}
    - fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere

  * new ability to import existing ssh host key into monkeysphere.  So now
    m-a import-key replaces m-s gen-key.
  * provide pem2openpgp for translating unencrypted PEM-encoded raw key
    material into OpenPGP keys (introduces new perl dependencies)
  * get rid of getopts dependency
  * added version output option
  * better checks for the existence of a host private key for
    monkeysphere-host subcommands that need it.
  * better checks on validity of existing authentication subkeys when
    doing monkeysphere gen_subkey.
  * add transition infrastructure for major changes between releases (see
    transitions/README.txt)
  * implement and document two new monkeysphere-host subcommands:
    revoke-key and add-revoker

Download it now!

Plans for The Golden Bezoar

2010-03-21T21:47:50Z

A workday with several Monkeysphere contributors on 2009-01-31 resulted in a significant reorganization of the project in several areas, primarily driven by the realization that there are two fundamentally different concepts on the server side:

publishing host keys via the Web-of-Trust (WoT), and
authenticating users via the WoT.

For simplicity and clarity, those two concepts should be independent from each other, but earlier releases of the Monkeysphere tangled the two up together more than we probably should have.

So the next release, version 0.23 (a.k.a. The Golden Bezoar) will have the following significant changes:

user interface: /usr/sbin/monkeysphere-server is no more, and its functionality will be split out into /usr/sbin/monkeysphere-host (for functionality dealing with publishing the ssh host key through the WoT) and /usr/sbin/monkeysphere-authentication (for functionality dealing with authenticating users via the WoT). /usr/bin/monkeysphere-ssh-proxycommand has been folded into /usr/bin/monkeysphere itself as a new subcommand.
code: the subfunctions are now stored in their own separate files, and sourced as-needed by the three top-level commands. The test suite has also been re-written to reflect the above UI changes.
documentation: in addition to making the man pages reflect the above UI changes, we're rewriting the "getting started" documentation to use the conceptually-cleaner distinctions above.
data storage: /var/lib/monkeysphere itself has been re-organized with the aim of keeping the host/authentication distinction clear, simplifying the internal use of gpg, and facilitating privilege-separated access.

The Golden Bezoar will also feature the ability to painlessly publish your current ssh host key to the WoT without needing to re-key the server. If you're considering adopting the Monkeysphere in the near future, we recommend waiting for 0.23 to be released, as it should be conceptually clearer and easier to use.