Page MenuHome GnuPG

Default to HKPS, not HKP
Open, NormalPublic

Description

If a keyserver URI is specified with no scheme, gnupg defaults to using HKP on port 11371. keyserver traffic is even more than other traffic something that shouldn't be plaintext, so I would welcome a change to default to HTTPS, requiring users who want to use a plaintext transport to be explicit about it.

Details

Version
2.2.13

Event Timeline

werner triaged this task as Normal priority.May 10 2019, 7:23 PM
werner edited projects, added Feature Request, dirmngr; removed Bug Report.

A possible exception here is that .onion TLDs should stick with HKP by default

Hey there. I wanted to bring this up again, to see if we can perhaps get this changed after all:

  • gnupg still defaults to sending keyserver lookups in plaintext (!) if hkps is not explicitly given
  • keyservers are, as a matter of fact, still in active use by hundreds of thousands of people
  • we still get significant traffic on port 11371 on keys.o.o, which we redirect to https
  • 100% of that traffic is gnupg, presumably from users putting the domain without a protocol in their config, not a deliberate choice to use a plain text protocol

Thanks for considering