Hacker News new | ask | show | jobs
by strictnein 3179 days ago
Uhmm... that's a public key. So it doesn't matter. He could put it on a billboard in Times Square.
2 comments
tlrobinson 3179 days ago
I believe keda's point is it's served over HTTP not HTTPS so there's no way to verify you're not being MITM'd when looking at it.

(A possible workaround is to check via multiple connections, check Google's cache, etc)

link
strictnein 3179 days ago
I mean, sure, but if you're sending him a PGP encrypted message, and his public key was messed with, the end result would just be his inability to open the message.

I think his actual point was to try and discredit the messenger.

link
tlrobinson 3179 days ago
The attacker would then be able to read your encrypted messsage (and possibly re-encrypt it with the original key before forwarding it)

Also, PGP keys may also be used to sign software or other public messages (not a typical use-case for journalists, though)

link
strictnein 3179 days ago
You're kind of out in the weeds now.

Also, you don't sign software or whatever with a public key, so I'm not 100% sure you understand how this works.

link
codedokode 3179 days ago
HTTPS won't help against attacker that has a jurisdiction over CA and can force them to issue a certificate.
link
woliveirajr 3179 days ago
It does matter. Someone could replace his public key with a fake one. Everything that would be encrypted so that only he could see it could end up in wrong hands, because somebody would trust "I'm encrypting using his public key, I can tell anything to that guy", and the bad guy would read it.
link
strictnein 3179 days ago
I'm confused how you think transferring the PGP key through secure means would prevent that. It only (mostly) ensures the message you receive is valid.

They could far more easily gain access to his server through a variety of means and upload a different copy of his key than try and do a MITM or whatever. It's not like he's going to notice if the key changes.

What you're proposing is that an intelligence service is going to MITM you and gain access to the journalist's computer or email server to read the messages you may send him? Why? The messages are unencrypted when read on his system and when typed on yours, so there are far easier ways to get at their contents.

link
woliveirajr 3179 days ago
His page (http) -> MITM -> page you get with another public key

You write him something -> he doesn't read.

You write him -> emails is intercepted -> he doesn't read it but who intercepted the email reads.

So his computer is never compromised. But his email server (some provider) is.

link