Bootstrapping OpenPGP keys from the web (updated wiki chapter)

What in case you want to totally stay anonymous or have no trust path to a OpenPGP key?

Some people just write an unencrypted mail to the recipient and ask them to send their public key. The recipient will most likely either send its public key or at least its fingerprint.

This works against passive attacks. An observer wouldn’t know what they have been talking about in the following encrypted mails. This totally fails against active attacks. A man-in-the-middle could replace the recipient’s key with its own malicious key. The sender would use the wrong key, the man-in-the-middle would decrypt the message, read it, and re-encrypt it with the legit key and forward it to the recipient. Neither sender nor recipient would ever find out that their messages are being read by an adversary. – This is the whole reason, why the trust model path and key signing is recommended in the first place.

Read more:

https://www.whonix.org/wiki/OpenPGP#Bootstrapping_OpenPGP_keys_from_the_web

About these ads

Leave a Comment....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.