[Cryptography] Privacy-enhanced OpenPGP
Ángel González
angel at crypto.16bits.net
Thu Sep 29 20:08:28 EDT 2016
On 2016-09-29 at 09:31 +0200, Florian Weimer wrote:
> OpenPGP for use in email was (deliberately?) designed in such a way
> that key servers obtain a pretty accurate picture of who is talking to
> whom: Ideally, before encrypting a message or checking a signature,
> you should reach out to a key server to see if a revocation has been
> uploaded since the last use of the key.
>
> Even if you do not perform automated key updates, when you have to
> reply to an encrypted message from a new sender, you still need to
> contact the key servers because OpenPGP-encrypted messages do not
> include the public key of the sender.
>
> (This privacy leak even made it into a Dan Brown novel, but I forgot
> which one.)
>
> Is there software which can do something about this?
Not perfect, but there are a few keyservers available through tor. And
there is a Tor OnionBalance hidden service at
hkp://jirk5u4osbsr34t5.onion
Plus obviously, always use hkps:// and not hkp:// to avoid everyone
else between the keyserver and you learning about the people you email
with,
More information about the cryptography
mailing list