Adding support for fetching GPG key using WKD protocol

Derek Martin invalid at pizzashack.org
Fri Jul 6 20:45:08 UTC 2018


On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote:
> > Does this mean that WKD would always be enabled?
> > If so, this potentially leaks from whom email is being received to third
> > parties, and I will patch my copy of mutt to remove it.
> 
> It is triggered only when you want to send an e-mail *to* a person
> AND explicitly enable encryption AND you don't have their key
> locally. Then it queries that person's HTTPS server.

So... This isn't really too different.  If the config option somehow
got set unintentionally, it still potentially leaks information, even
if it is on send rather than on receipt.  It's actually worse, because
it leaks whom you are actually sending messages to, rather than from
whom you're receiving them...  Received messages could be spam or
other senders you simply don't know.  Sending messages is a concious
choice, so it reveals something material.

People frequently copy mutt configs from the internet without really
knowing what everything in them does.  It's also possible that a
developer, say someone who was experimenting with various options,
could inadvertently set the option to yes before doing a checkin, and
nobody immediately notices...

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-dev/attachments/20180706/291b1013/attachment.asc>


More information about the Mutt-dev mailing list