Page MenuHome GnuPG
Create Task
Maniphest T4493

Default to HKPS, not HKP
Open, NormalPublic
Actions

Description

If a keyserver URI is specified with no scheme, gnupg defaults to using HKP on port 11371. keyserver traffic is even more than other traffic something that shouldn't be plaintext, so I would welcome a change to default to HTTPS, requiring users who want to use a plaintext transport to be explicit about it.

Details

Version
2.2.13

Related Objects

Event Timeline

Valodim created this task.May 10 2019, 2:13 PM
werner triaged this task as Normal priority.May 10 2019, 7:23 PM
werner edited projects, added Feature Request, dirmngr; removed Bug Report.
dkg added a subscriber: dkg.May 13 2019, 11:12 PM

see also T4467

wiktor-k added a subscriber: wiktor-k.May 14 2019, 6:15 PM
Valodim added a comment.Jun 21 2019, 11:16 AM

A possible exception here is that .onion TLDs should stick with HKP by default

tianon added a subscriber: tianon.Jul 3 2019, 3:59 PM
steve added a subscriber: steve.Jul 3 2019, 4:52 PM
thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:30 AM
Valodim added a comment.Mar 26 2025, 6:04 PM

Hey there. I wanted to bring this up again, to see if we can perhaps get this changed after all:

  • gnupg still defaults to sending keyserver lookups in plaintext (!) if hkps is not explicitly given
  • keyservers are, as a matter of fact, still in active use by hundreds of thousands of people
  • we still get significant traffic on port 11371 on keys.o.o, which we redirect to https
  • 100% of that traffic is gnupg, presumably from users putting the domain without a protocol in their config, not a deliberate choice to use a plain text protocol

Thanks for considering