Page MenuHome GnuPG

WKS redirects follows to http
Closed, ResolvedPublic


if I create a redirect 302 for a WKD link, gnupg (2.2.1;libgcrypt 1.7.9) will follow this redirect also if that rdirect is a not TLS encrypted message. This makes it easy for MIT to modify the answer. Please do only follow links, that are also TLS encrypted:

% wget
--2017-10-06 12:48:17--
Resolving (, 2a00:1828:2000:12::3
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2017-10-06 12:48:17--
Resolving (, 2a00:1828:2000:12::4
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 200 OK

and wkd is successfull:

% gpg -v --auto-key-locate=clear,wkd,nodefault --locate-key
gpg: using pgp trust model                                                        
gpg: pub  rsa4096/0x1DD87C3E0CC981B1 2017-10-06  Netzguerilla - Key Submission <>
gpg: key 0x1DD87C3E0CC981B1: public key "Netzguerilla - Key Submission <>" imported
gpg: Total number processed: 1                                                                        
gpg:               imported: 1                                                              
gpg: auto-key-locate found fingerprint 00EC901DDAEF596AF56C48BE1DD87C3E0CC981B1          
gpg: automatically retrieved '' via WKD
pub   rsa4096/0x1DD87C3E0CC981B1 2017-10-06 [SC] [expires: 2018-10-06]                              
uid                   [ unknown] Netzguerilla - Key Submission <>
sub   rsa4096/0xEA26FA2FB4BE6819 2017-10-06 [E] [expires: 2018-10-06]

(in meanwhile I updated the redirect to a TLS encrypted one. But I can create a test setup if you need so.)



Event Timeline

werner triaged this task as High priority.Oct 9 2017, 11:46 AM
werner added a project: gnupg (gpg22).
werner added a subscriber: werner.

That is a server error - the redirect is under the server's control and if the server advises to connect via http we should do that. Well, unless our policy is to not allow such a redirect - such a policy makes a lot of sense of course.

werner claimed this task.
werner added a subscriber: gouttegd.

@gouttegd provided a patch to implemented that policy. I setup a server server to check this:

gpg -v --fetch-key

should get you

gpg: requesting key from ''
gpg: WARNING: unable to fetch URI Forbidden

However when requesting with http you will get it:

gpg: requesting key from ''
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

(that is because we have no keys at that address.)