Unecrypted download of public keys
sivmu at web.de
Sat Feb 4 07:33:56 CET 2017
When using --revc-key <id> or the gpa frontend, I noticed that the
target public keys are still downloded using unencrypted http. While the
trnasmitted information is generally public, it doesmake things pretty
easy for an adversary to collect metadata such as your contacts.
This is expecially relevant if you refresh your keys all at once, as
this will leak your complete contact list to the network.
Is there any reason gnupg does not use https by default to connect to
the keyservers? I think this is an unnecessary leak of privacy.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users