undefined | Better HN

0 pointsstrictnein8y ago0 comments

Uhmm... that's a public key. So it doesn't matter. He could put it on a billboard in Times Square.

0 comments

I believe keda's point is it's served over HTTP not HTTPS so there's no way to verify you're not being MITM'd when looking at it.

(A possible workaround is to check via multiple connections, check Google's cache, etc)

strictneinOP8y ago

I mean, sure, but if you're sending him a PGP encrypted message, and his public key was messed with, the end result would just be his inability to open the message.

I think his actual point was to try and discredit the messenger.

tlrobinson8y ago

The attacker would then be able to read your encrypted messsage (and possibly re-encrypt it with the original key before forwarding it)

Also, PGP keys may also be used to sign software or other public messages (not a typical use-case for journalists, though)

1 more reply

codedokode8y ago

HTTPS won't help against attacker that has a jurisdiction over CA and can force them to issue a certificate.

woliveirajr8y ago

It does matter. Someone could replace his public key with a fake one. Everything that would be encrypted so that only he could see it could end up in wrong hands, because somebody would trust "I'm encrypting using his public key, I can tell anything to that guy", and the bad guy would read it.

strictneinOP8y ago

I'm confused how you think transferring the PGP key through secure means would prevent that. It only (mostly) ensures the message you receive is valid.

They could far more easily gain access to his server through a variety of means and upload a different copy of his key than try and do a MITM or whatever. It's not like he's going to notice if the key changes.

What you're proposing is that an intelligence service is going to MITM you and gain access to the journalist's computer or email server to read the messages you may send him? Why? The messages are unencrypted when read on his system and when typed on yours, so there are far easier ways to get at their contents.

woliveirajr8y ago

His page (http) -> MITM -> page you get with another public key

You write him something -> he doesn't read.

You write him -> emails is intercepted -> he doesn't read it but who intercepted the email reads.

So his computer is never compromised. But his email server (some provider) is.

j / k navigate · click thread line to collapse

0 comments

tlrobinson8y ago

I believe keda's point is it's served over HTTP not HTTPS so there's no way to verify you're not being MITM'd when looking at it.

(A possible workaround is to check via multiple connections, check Google's cache, etc)

strictneinOP8y ago

I mean, sure, but if you're sending him a PGP encrypted message, and his public key was messed with, the end result would just be his inability to open the message.

I think his actual point was to try and discredit the messenger.

tlrobinson8y ago

The attacker would then be able to read your encrypted messsage (and possibly re-encrypt it with the original key before forwarding it)

Also, PGP keys may also be used to sign software or other public messages (not a typical use-case for journalists, though)

1 more reply

codedokode8y ago

HTTPS won't help against attacker that has a jurisdiction over CA and can force them to issue a certificate.

woliveirajr8y ago

strictneinOP8y ago

I'm confused how you think transferring the PGP key through secure means would prevent that. It only (mostly) ensures the message you receive is valid.

woliveirajr8y ago

His page (http) -> MITM -> page you get with another public key

You write him something -> he doesn't read.

You write him -> emails is intercepted -> he doesn't read it but who intercepted the email reads.

So his computer is never compromised. But his email server (some provider) is.

j / k navigate · click thread line to collapse