[pkg-gnupg-maint] Bug#802100: gnupg should fetch keys using hkps by default
Guillem Jover
guillem at debian.org
Fri Jul 12 11:43:34 BST 2019
Hi!
On Sat, 2015-10-17 at 15:31:22 +0100, Antoine Amarilli wrote:
> Package: gnupg
> Version: 1.4.19-5
> Severity: wishlist
> By default, gpg requests keys using HKP server <keys.gnupg.net>. This allows a
> passive attacker to obtain information about the keys requested by the user,
> which may be harmful in terms of privacy.
>
> I think that gpg should be using an HKPS server by default. See e.g.,
> <https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections>
>
> See also a similar bug for dirmngr:
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784286>.
It looks like this is fixed now, but not sure when it was first fixed,
will leave it up to the maintainers.
Thanks,
Guillem
More information about the pkg-gnupg-maint
mailing list