Re: Unecrypted download of public keys
Am 04.02.2017 um 23:27 schrieb Daniel Kahn Gillmor: > On Sat 2017-02-04 15:14:50 -0500, sivmu wrote: >> I suppose this config did not change after upgrading from 2.1.17. >> Just tested it on 2.1.18 using arch and it still uses http on my setup. > > it's not a config change -- it's a defaults change. > > in the old arrangement, if you didn't specify a keyserver, you couldn't > get anything at all, so many people put some keyserver in their > configuration manually. > > if you have a "keyserver" listed in your config manually, then you are > *overriding* the default. And yes, if you list foo.example.com, it will > connect to that server in the clear (just as if you put > hkps://foo.example.com then it would connect using TLS). > > Did you try this with no explicit "keyserver" directive? > >> But this would be rather an issue with the distro, correct? > > It may be an issue with your distro, i don't know how arch has packaged > 2.1.18. > > all the best, > > --dkg > This is the script for the arch gnupg package: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg But I do not see any sign of overriding the defaults and I never changed the settings either. I might just setup a new arch system in a VM and test this on a clean installation to make sure I did not mess something up. Could it be that installing gpa changed the defaults? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unecrypted download of public keys
On Sat 2017-02-04 15:14:50 -0500, sivmu wrote: > I suppose this config did not change after upgrading from 2.1.17. > Just tested it on 2.1.18 using arch and it still uses http on my setup. it's not a config change -- it's a defaults change. in the old arrangement, if you didn't specify a keyserver, you couldn't get anything at all, so many people put some keyserver in their configuration manually. if you have a "keyserver" listed in your config manually, then you are *overriding* the default. And yes, if you list foo.example.com, it will connect to that server in the clear (just as if you put hkps://foo.example.com then it would connect using TLS). Did you try this with no explicit "keyserver" directive? > But this would be rather an issue with the distro, correct? It may be an issue with your distro, i don't know how arch has packaged 2.1.18. all the best, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unecrypted download of public keys
Am 04.02.2017 um 08:18 schrieb Daniel Kahn Gillmor: > On Sat 2017-02-04 01:33:56 -0500, sivmu wrote: >> When using --revc-key or the gpa frontend, I noticed that the >> target public keys are still downloded using unencrypted http. While the >> trnasmitted information is generally public, it doesmake things pretty >> easy for an adversary to collect metadata such as your contacts. >> >> This is expecially relevant if you refresh your keys all at once, as >> this will leak your complete contact list to the network. >> >> Is there any reason gnupg does not use https by default to connect to >> the keyservers? I think this is an unnecessary leak of privacy. > > as of 2.1.18, gnupg does use https by default to connect to the > keyserver network. :) > > In particular, if you do not supply a --keyserver argument, it will use > hkps://hkps.pool.sks-keyservers.net as the default keyserver, and should > verify the certificates only against the pool-specific CA. > >--dkg > I suppose this config did not change after upgrading from 2.1.17. Just tested it on 2.1.18 using arch and it still uses http on my setup. But this would be rather an issue with the distro, correct? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unecrypted download of public keys
On Sat 2017-02-04 01:33:56 -0500, sivmu wrote: > When using --revc-key or the gpa frontend, I noticed that the > target public keys are still downloded using unencrypted http. While the > trnasmitted information is generally public, it doesmake things pretty > easy for an adversary to collect metadata such as your contacts. > > This is expecially relevant if you refresh your keys all at once, as > this will leak your complete contact list to the network. > > Is there any reason gnupg does not use https by default to connect to > the keyservers? I think this is an unnecessary leak of privacy. as of 2.1.18, gnupg does use https by default to connect to the keyserver network. :) In particular, if you do not supply a --keyserver argument, it will use hkps://hkps.pool.sks-keyservers.net as the default keyserver, and should verify the certificates only against the pool-specific CA. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unecrypted download of public keys
When using --revc-key or the gpa frontend, I noticed that the target public keys are still downloded using unencrypted http. While the trnasmitted information is generally public, it doesmake things pretty easy for an adversary to collect metadata such as your contacts. This is expecially relevant if you refresh your keys all at once, as this will leak your complete contact list to the network. Is there any reason gnupg does not use https by default to connect to the keyservers? I think this is an unnecessary leak of privacy. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users