On Tue 2021-01-19 13:08:19 +0100, Werner Koch via Gnupg-users wrote: > On Tue, 19 Jan 2021 09:28, Neal H. Walfield said: > >> When you look up the openpgpkey.example.org domain, you are revealing >> to anyone snooping DNS traffic that you are using OpenPGP and are >> looking for a key related to example.org. That's a privacy issue. > > No, it isn't. The next thing you do is to send the mail and get a > reply.
I think it's fair to say that this is in fact a privacy issue, stemming from the fact that the act of sending an e-mail to a given recipient these days is largely invisible to the network monitor -- the user agent typically speaks on the network only to user's mail submission agent (and that only through an encrypted connection). any party monitoring the user agent only sees the rough size of the message as it passes to the MSA. Given that situation, there are at least four different forms of privacy leak (in descending order of importance) from using WKD: - the DNS lookup Neal describes above typically happens in the clear, and is visible to anyone watching your DNS traffic. (even with encrypted DNS transport like DoT or DoH, your trusted resolver sees it). Those same parties won't get to know that you're sending mail to someone in that domain otherwise. - When your client does the TLS handshake with openpgpkey.example.org for the HTTPS lookup, that leaks the domain name in the SNI field. This means that anyone observing your network traffic (even if you were using encrypted DNS transport) *also* learns that you're sending mail to someone in that domain. They would not know this otherwise. (this can be fixed with TLS Encrypted Client Hello, but that extension is still under development, must be supported by both HTTPS client and server, and far from widespread) - For many domains, the webserver operator is not the same party as the party that operates the e-mail infrastructure. Thus, when a WKD lookup is made, the webserver operator learns information that they would not have access to without running the mailservers for the domain. Note that the webserver operator also knows *exactly* which address the user has looked up, not just the domain -- while the local part is hashed, that hash can be reversed for low-entropy local parts; and in the current WKD spec the client actually reverses it directly with the l= query parameter. - Finally, even if the webserver operator has access to the same information as the mailserver, the recipient's key is often looked up via WKD *before* the message is sent, so it's possible that the user might not send the mail, or might only send the mail much later, or from a different network. This is a temporal privacy leak, similar in form to the "foo is typing…" notifications displayed by some instant messengers. Now, comparing any of these privacy leaks to the risks of sending e-mail in the clear is another story -- people might well be willing to accept the risks, or to be comfortable with them being mitigated by some of the measures i've outlined above. One could imagine a repressive regime on a crusade against leakers, asking their local ISPs to inform them whenever someone prepares to send an OpenPGP-encrypted e-mail to any e-mail address in the @dissenting-newsroom.example domain, regardless of whether the message is actually sent. Widespread use of WKD would facilitate this kind of risk to press freedom, even if the would-be leakers (and the newsroom) were careful to use mailservers outside of the national jurisdiction. WKD offers a huge boost in the usability of OpenPGP for e-mail, but we shouldn't claim that it doesn't introduce any new privacy concerns. --dkg _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users