Hi! On Sat, 2015-10-17 at 15:31:22 +0100, Antoine Amarilli wrote: > Package: gnupg > Version: 1.4.19-5 > Severity: wishlist
> By default, gpg requests keys using HKP server <keys.gnupg.net>. This allows a > passive attacker to obtain information about the keys requested by the user, > which may be harmful in terms of privacy. > > I think that gpg should be using an HKPS server by default. See e.g., > <https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections> > > See also a similar bug for dirmngr: > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784286>. It looks like this is fixed now, but not sure when it was first fixed, will leave it up to the maintainers. Thanks, Guillem

