Sparks's Journal

  • Electric Vehicle Efficiencies
  • NVIS Antenna Height
  • Worked and Confirmed Grids
  • Contact
  • Economics of Solar Power
  • Archives

Inadvertant data leakage from GnuPG

Mon 01 July 2013
By Sparks

In Information Security.

tags: GnuPGGPGhkphkpsOpenPGPSSLEncryptionPrivacy

I was recently introduced to a privacy issue when refreshing your OpenPGP keys using GnuPG.  When refreshing your public key ring using a public key server GnuPG will generally use the OpenPGP HTTP Key Protocol (HKP) to synchronize keys.  The problem is that when you do refresh your keys using HKP everyone that you maintain in your public key ring is sent across the Internet unencrypted.  This can allow anyone monitoring your network traffic to receive a complete list of contacts in which you may hope to use OpenPGP.

The fix is quite simple: in your gpg.conf file make sure that your keyserver entries include hkps:// instead of hkp://.  This will force GnuPG to wrap HKP in SSL to keep the key exchange private.

Happy encrypting!

Categories

  • Astronomy
  • Buddhism
  • Cartography
  • Computers
  • Energy
  • Information Security
  • Radio
  • Search and Rescue
  • Stuff
Proudly powered by pelican, which takes great advantages of python.

The theme is «notmyidea-cms», a modified version of «notmyidea», the default theme.