When using --revc-key <id> or the gpa frontend, I noticed that the target public keys are still downloded using unencrypted http. While the trnasmitted information is generally public, it doesmake things pretty easy for an adversary to collect metadata such as your contacts.
This is expecially relevant if you refresh your keys all at once, as this will leak your complete contact list to the network. Is there any reason gnupg does not use https by default to connect to the keyservers? I think this is an unnecessary leak of privacy.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
