0

I am going to put a link to my GPG key in the signature of my e-mails.

This would be both a hyperlink in the form of

https://keyserver.ubuntu.com/pks/lookup?op=get&search=XXXXXX

and the command to download the key:

gpg --recv-keys XXX

How does the recipient of the e-mail make sure he can obtain the right key (by that hyperlink or the command) and be safe from DNS spoofing attacks?

That is, someone changes the IP address of keyserver.ubuntu.com and point to its own server with its own key?

robertspierre
  • 495
  • 2
  • 11
  • @SteffenUllrich just suppose the website is HTTP and not HTTPS. Does it make sense to share the hash of the key with the email? – robertspierre Dec 07 '21 at 16:16
  • *" Does it make sense"* - yes. Is it 100% secure - no. Is it sufficiently secure - it depends. Not only DNS spoofing can be done on the sender but maybe also manipulating the mail which contains the link. Providing information the other should trust requires some kind of secure and trusted transport - and neither HTTP nor mail provides this. It might still be secure enough if one can assume that there is no targeted attack involved, i.e. in many cases it would just be way more effort than gain for some attacker to do this. – Steffen Ullrich Dec 07 '21 at 16:28

0 Answers0