Bug#802100: gnupg should fetch keys using hkps by default

2019-07-12 Thread Guillem Jover 
Hi!

On Sat, 2015-10-17 at 15:31:22 +0100, Antoine Amarilli wrote:
> Package: gnupg
> Version: 1.4.19-5
> Severity: wishlist

> By default, gpg requests keys using HKP server . This allows a
> passive attacker to obtain information about the keys requested by the user,
> which may be harmful in terms of privacy.
> 
> I think that gpg should be using an HKPS server by default. See e.g.,
> 
> 
> See also a similar bug for dirmngr:
> .

It looks like this is fixed now, but not sure when it was first fixed,
will leave it up to the maintainers.

Thanks,
Guillem

Bug#802100: gnupg should fetch keys using hkps by default

2016-01-18 Thread Strelok 
On Sat, 17 Oct 2015 15:31:22 +0100 Antoine Amarilli  wrote:
> Package: gnupg
> Version: 1.4.19-5
> Severity: wishlist
>
> Dear Maintainer,
>
> By default, gpg requests keys using HKP server . This allows a
> passive attacker to obtain information about the keys requested by the user,
> which may be harmful in terms of privacy.
And HKP server requested to verify .sign file downloaded from
cdimage.debian.org. Let's assume active attack like this:
Step 1) You try download iso file from cdimage.debian.org, but man in
middle redirect you to very.evil.org server.
Step 2) You download files from very.evil.org, compare hash to
SHA256SUMS file, and check SHA256SUMS file through "gpg --verify
SHA256SUMS.sign". Then, you see some like "Signature made Wed 11 Nov
2015 20:08:10 GMT using DSA key ID 12345678 Can't check signature:
public key not found".
Step 3) You run "gpg --recv 12345678"... And yes, man in middle
redirected you to keyserver.very.evil.org with false public key.
Step 4) You run "gpg --verify SHA256SUMS.sign" one more time... And
see "Good signature from evil hacker", because you get false signature
with false public key.
And this is very big hole in security.

Bug#802100: gnupg should fetch keys using hkps by default

2015-10-17 Thread Antoine Amarilli 
Package: gnupg
Version: 1.4.19-5
Severity: wishlist

Dear Maintainer,

By default, gpg requests keys using HKP server . This allows a
passive attacker to obtain information about the keys requested by the user,
which may be harmful in terms of privacy.

I think that gpg should be using an HKPS server by default. See e.g.,


See also a similar bug for dirmngr:
.

Best regards,

-- 
Antoine Amarilli


-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gpgv  1.4.19-5
ii  libbz2-1.01.0.6-8
ii  libc6 2.19-22
ii  libreadline6  6.3-8+b3
ii  libusb-0.1-4  2:0.1.12-27
ii  zlib1g1:1.2.8.dfsg-2+b1

Versions of packages gnupg recommends:
ii  gnupg-curl 1.4.19-5
ii  libldap-2.4-2  2.4.42+dfsg-2

Versions of packages gnupg suggests:
ii  eog   3.18.0-1
pn  gnupg-doc 
ii  imagemagick   8:6.8.9.9-6
ii  libpcsclite1  1.8.14-1
ii  parcimonie0.9-3

-- debconf-show failed