Unecrypted download of public keys

sivmu sivmu at web.de
Sat Feb 4 21:14:50 CET 2017



Am 04.02.2017 um 08:18 schrieb Daniel Kahn Gillmor:
> On Sat 2017-02-04 01:33:56 -0500, sivmu wrote:
>> When using --revc-key <id> or the gpa frontend, I noticed that the
>> target public keys are still downloded using unencrypted http. While the
>> trnasmitted information is generally public, it doesmake things pretty
>> easy for an adversary to collect metadata such as your contacts.
>>
>> This is expecially relevant if you refresh your keys all at once, as
>> this will leak your complete contact list to the network.
>>
>> Is there any reason gnupg does not use https by default to connect to
>> the keyservers? I think this is an unnecessary leak of privacy.
> 
> as of 2.1.18, gnupg does use https by default to connect to the
> keyserver network. :)
> 
> In particular, if you do not supply a --keyserver argument, it will use
> hkps://hkps.pool.sks-keyservers.net as the default keyserver, and should
> verify the certificates only against the pool-specific CA.
> 
>        --dkg
> 

I suppose this config did not change after upgrading from 2.1.17.
Just tested it on 2.1.18 using arch and it still uses http on my setup.

But this would be rather an issue with the distro, correct?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170204/79a7af7f/attachment-0001.sig>


More information about the Gnupg-users mailing list