On Sat 2017-02-04 01:33:56 -0500, sivmu wrote: > When using --revc-key <id> or the gpa frontend, I noticed that the > target public keys are still downloded using unencrypted http. While the > trnasmitted information is generally public, it doesmake things pretty > easy for an adversary to collect metadata such as your contacts. > > This is expecially relevant if you refresh your keys all at once, as > this will leak your complete contact list to the network. > > Is there any reason gnupg does not use https by default to connect to > the keyservers? I think this is an unnecessary leak of privacy.
as of 2.1.18, gnupg does use https by default to connect to the
keyserver network. :)
In particular, if you do not supply a --keyserver argument, it will use
hkps://hkps.pool.sks-keyservers.net as the default keyserver, and should
verify the certificates only against the pool-specific CA.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
