|
|
|
|
|
|
by Osaka
4238 days ago
|
|
|
It's all well and good adding support for new algorithms, and streamlining the UI. But still, access to the key servers are done over plaintext[1]. Which could allow an attacker to modify your request/response from the keyservers. Am I correct in believing that this is a critical issue not to address? [1] "Support for keyserver access over TLS is currently not available but will be added with one of the next point releases. " -- https://gnupg.org/faq/whats-new-in-2.1.html |
|
|
Anyone can usually upload any key to the keyserver, so even if you use TLS that wouldn't make a difference from a security perspective.