Unecrypted download of public keys

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Feb 4 08:18:39 CET 2017


On Sat 2017-02-04 01:33:56 -0500, sivmu wrote:
> When using --revc-key <id> or the gpa frontend, I noticed that the
> target public keys are still downloded using unencrypted http. While the
> trnasmitted information is generally public, it doesmake things pretty
> easy for an adversary to collect metadata such as your contacts.
>
> This is expecially relevant if you refresh your keys all at once, as
> this will leak your complete contact list to the network.
>
> Is there any reason gnupg does not use https by default to connect to
> the keyservers? I think this is an unnecessary leak of privacy.

as of 2.1.18, gnupg does use https by default to connect to the
keyserver network. :)

In particular, if you do not supply a --keyserver argument, it will use
hkps://hkps.pool.sks-keyservers.net as the default keyserver, and should
verify the certificates only against the pool-specific CA.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170204/71243720/attachment.sig>


More information about the Gnupg-users mailing list