X.509 certificates for https://gnupg.org

Werner Koch wk at gnupg.org
Tue Dec 17 11:04:27 CET 2013

On Tue, 17 Dec 2013 04:05, micah at micahflee.com said:

> torproject.org is pretty much an ideal example. They serve binaries of
> Tor Browser Bundle from https://www.torproject.org/ and have been
> attacked by governments all over the world, so they've put a lot of time
> and energy in doing things right. I'd like to see GPG have just as good

gnupg.org is a bit different in that in general we only provide source
code and not ready to use binaries.  Thus this is not a mainstream
download site.

Gpg4win.org, at the other hand, provides Windows installers and we [1]
even acquired a code signing certificate so that users don't complain
about the Windows message about "downloaded from the Internet; unknown
issuer".  It is well known that a lot of rogue software shows up as
valid and signed software and that this code signing does not provide
any security.  However, users want that.  Far less people complained
about Intevation's own CA for https access to gpg4win.org.

I am unsure what to do about CA certificates - I don't trust the global
PKIX at all.  It lures users into false security.  Thus, I believe
CAcert is just as fine as any other - it can't be better because all
root certificates are implicitly cross-signed (the browser treats them
all the same).

> (And for that matter, why do I have two cookies in my browser that
> gnupg.org set? _pk_id.1.9e41 and _pk_ses.1.9e41 -- the id one is a
> unique id, which means it can be used to track my movements through that

You must be running with JavaScript enabled ;-).  This seems to be from
Piwik, which I recently installed to gather web statistics.  I am not
really happy with that but my campaign manager said that it is really
needed and that organization like the EFF also run Piwik.  Our privacy
policy says

  ** Analytics
  This website uses Piwik, a Free Software web analytics system, to
  monitor traffic on our Web sites. Piwik records the general
  geographical vicinity of visitors as well as their browser and
  operating system, and records their navigation within the sites. This
  helps us gauge the impact of our materials and improve our work.
  Our Piwik system preserves privacy by anonymizing visitors’ IP
  addresses. This means that we will not store any personally
  identifiable information about you, even though your visit produces a
  record that our site was visited by someone.
  Piwik also respects the “[[http://donottrack.us/][Do Not Track]]”
  preference offered by some browsers, so if you have this option set,
  Piwik will ignore your visit entirely. Details of how Piwik protects
  privacy are on [[http://piwik.org/privacy/][their website]].

I guess we will eventually switch to log file statistics which basically
returns the same information.  And also tracks those who disabled JS -
whether this is good or worse, I don't know.



[1] g10 Code and Intevation, the latter being a company I often work
    with and co-run by yet another founder of the FSFE.
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list