TB weirdness
Robert J. Hansen
rjh at sixdemonbag.org
Thu Feb 17 17:35:53 CET 2022
Yes, I know, Thunderbird doesn't use GnuPG. However, for those who do:
apparently, Thunderbird is a big fan of attaching public certificates
(and/or revocation certificates, for revoked keys) to outgoing emails
for *every private certificate on your keyring*, regardless of whether
that private key is actually associated with the account in question.
This has the potential to leak personal information, especially if
you're in a use case where you have two or more keys presenting
different pseudonymous identities. Without knowing it, you might
accidentally reveal you're the common actor behind both.
I apologize for bringing the non-GnuPG content to the list, but please
make sure your correspondents are aware of the possible risk in how
Thunderbird likes to attach public certificates. That's all. Thank you!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220217/db258608/attachment.sig>
More information about the Gnupg-users
mailing list