Stay away from DNS over HTTPS

In a blog post on ungleich.ch you can read why you should stay away from DoH, DNS over HTTPS, now being rolled out by both Google in their Chrome browser and by Mozilla in their Firefox browser.

DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and they send traffic from all their users to one entity. So what does that mean? It means people outside the US can now be fully tracked by US government: now some of you might wonder if this is actually in line with GDPR (The EU General Data Protection Regulation). It is indeed very questionable if DoH is rolled out as default, since users do NOT opt in, but have to opt out.

Quote from the blog post on ungleich

The author asks if DoH is bad only for EU citizens.

No, it’s bad for the US citizens too. Because whether you trust Cloudflare or not, you’ll end up directly supporting centralisation by using DoH in Firefox. Centralisation makes us depend on one big player, which results in fewer choices and less innovation. Centralisation affects everybody by creating a dangerous power and resource imbalance between the center and the rest.

Have you deactivated DoH in your Firefox browser yet?


More about keys.openpgp.org

After a fairly busy week the number of verified e-mail addresses on keys.openpgp.org has doubled. From approx. 2000 addresses to roughly 4000.

Have you uploaded your key to keys.openpgp.org and verified your e-mail address? Have you abandoned the vulnerable servers like sks-keyservers.net? If not – we recommend you to do so now!


SKS Keyserver Network Under Attack

On June 12th 2019 we wrote a blog post about a new GnuPG server being launced (keys.openpgp.org).

Yesterday Robert J Hansen published a text about vulnerabilities in the widely used SKS keyserver network. As far as we understand the new key server at keys.openpgp.org will solve many of the vulnerabilities found in the SKS keyservers.

We guess we will publish more posts on this subject the coming days! Until then it is up to each and one to read the text by Robert and to take action acordingly! If you are not subscribing to the gnupg-users@gnupg.org e-mail list we strongly recommend you to do so now to get updates on the subject!


Tor Browser 8.5.2


  • All platforms
    • Pick up fix for Mozilla’s bug 1544386
    • Update NoScript to 10.6.3
      • Bug 29904: NoScript blocks MP4 on higher security levels
      • Bug 30624+29043+29647: Prevent XSS protection from freezing the browser


For a long time the SKS Keyserver pool has been a de facto standard to publish public OpenPGP compatible keys. Kristian Fiskerstrand (@krifisk on Twitter) has been running the pool for more than ten years but over the years the distributed network of keyservers has been struggling with abuse, performance, as well as privacy issues, and more recently also GDPR compliance questions.

Is it time to make a change when it comes to the way you publish your public key(s)? If so, is keys.openpgp.org the solution?

The keys.openpgp.org keyserver splits up identity and non-identity information in keys. The gist is that non-identity information (keys, revocations, and so on) is freely distributed, while identity information is only distributed with consent that can also be revoked at any time.

If a new key is verified for some e-mail address, it will replace the previous one. This way, every e-mail address is only associated with a single key at most. It can also be removed from the listing at any time by the owner of the address. This is very useful for key discovery. If a search by e-mail address returns a key, it means this is the single key that is currently valid for the searched e-mail address.

In upcoming releases of Enigmail for Thunderbird as well as OpenKeychain on Android keys.openpgp.org keysever will receive first-party support.

Find more info at keys.openpgp.org!


Tor Browser 8.5.1

Tor Browser version 8.5.1 has been released. For the most up-to-date information about this release, visit blog.torproject.org/new-release-tor-browser-851.


  • All platforms
    • Update Torbutton to 2.1.10
      • Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update NoScript to 10.6.2
      • Bug 29969: Remove workaround for Mozilla’s bug 1532530
    • Update HTTPS Everywhere to 2019.5.13
    • Bug 30541: Disable WebGL readPixel() for web content
  • Windows + OS X + Linux
    • Bug 30560: Better match actual toolbar in onboarding toolbar graphic
  • Android
    • Bug 30635: Sync mobile default bridges list with desktop one
  • Build System
    • All platforms
      • Bug 30480: Check that signed tag contains expected tag name

Ubuntu Security Podcast

The Ubuntu Security Podcast is a weekly podcast covering all the latest news and developments from the Ubuntu Security team. Each week the team discuss the various security updates that have been published across the Ubuntu releases, describing the technical details of both the security vulnerabilities as well as the fixes involved. Due to the expansive nature of the software packages provided by Ubuntu, each episode usually covers a diverse range of security issues, from buffer overflows, use-after-free’s and cache side-channel attacks; to cross-site scripting and cross-site request forgery.

Full article