Unecrypted download of public keys

sivmu sivmu at web.de
Sat Feb 4 07:33:56 CET 2017

When using --revc-key <id> or the gpa frontend, I noticed that the
target public keys are still downloded using unencrypted http. While the
trnasmitted information is generally public, it doesmake things pretty
easy for an adversary to collect metadata such as your contacts.

This is expecially relevant if you refresh your keys all at once, as
this will leak your complete contact list to the network.

Is there any reason gnupg does not use https by default to connect to
the keyservers? I think this is an unnecessary leak of privacy.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170204/ad46084d/attachment.sig>

More information about the Gnupg-users mailing list