searching for keys

Henry Hertz Hobbit hhhobbit at securemecca.net
Sun Jul 14 04:33:43 CEST 2013 

On 07/13/2013 09:56 PM, kardan wrote:
> Hi,
> 
> When I search for a key via browser on [1] I get an unencrypted
> answer from [2]. This happens for some keys that are only
> available on some servers. The problem is that the info, whose
> key I am searching is presented to sniffers in plaintext. I
> think the encrypted pool should not forward to unencrypted web
> interfaces.
> 
> [1] https://hkps.pool.sks-keyservers.net/
> [2] http://keyserver.stack.nl

I am going to give this from the perspective of somebody who has
handled way too much malware.

I question the legitimacy of the first in the first place since
it doesn't even have a WHOIS record for either sks-keyservers.net
or hkps.pool.sks-keyservers.net and the browser warns that the
certificate may not be legitimate.  Since I worked with lots of
malware, this would lead me to believe I was well into the red
zone.  The IP addresses are also a little unsetting as well:

005.009.142.114   (5.9.142.114)
005.135.166.171   (5.135.166.171)
080.241.060.003   (80.241.60.3)
084.215.015.221   (84.215.15.221)
094.142.241.093   (94.142.241.93)
131.155.141.070   (131.155.141.70)
176.009.051.079   (176.9.51.79)
192.146.137.011   (192.146.137.11)

But since it is a pool service it is really their baby and you
would probably best take it up with them.  I think they would
tell you that most people would prefer the redirect than going
without the key that they are searching for.  (OTHERS:  Please
speak up if you disagree with me.)  On the other hand if you
live in the FSA, er, the USA and are searching for the keys
of the human rights advocates sitting next to Edward Snowden
recently I can understand the concern.  I am not trying to
contact those human rights activists so I am not worrying
about that.  These other things are a little unsettling unless
you know the people running the pool key service personally.
But pool services probably should hand off queries to other
servers if they don't have the keys themselves.

HHH
PS  The search for my keys were all HTTPS but I drop my
    keys onto several servers and they propagate out nicely
    to most of the others in two weeks time.

More information about the Gnupg-users mailing list