Hey Leo, mail me your private key

Hi @Leo, I know you are a PGP user for email signing and encryption, so this is probably of interest to you:

Several email clients were found to be vulnerable to sending the GPG or S/MIME private keys by the user clicking on a mailto: link on a website!


I never knew you could include an attachment in a “mailto” link. That’s pretty neat.

1 Like

I can’t think of a situation where this would be useful on a web site except as an attack… you’re unlikely to know the path of average user files on a system since people aren’t robots… thus it would only work for “static” files, like logs and config files… the kind of files likely to have security implications.

1 Like

Exactly that use case, a scenario where you need a user to send logs in order to provide technical support.

A reasonable application is built by people who know they will need to support it, and have built in a means. My router has this option build in, it has a feedback page where it will extract and zip the log files and other pertinent information and send it appropriately, attaching a prompted support ID if needed.

If someone is adhockingly (my new made up word of the day) assuming the install location (remember some people install files to non-standard locations) and assuming the location of log files, the company producing the software needs a lot more support than the user will ever succeed in requesting. (IMHO)

It’s why I don’t keep my secret key in an available directory. It’s also why I secure it with a strong password. Every worthwhile GnuPG how-to mentions these measures. Many say not to put your secret key on any device. Keep it in a safe. Or Yubikey.


having done a tour of end-user support for a few years, there’s nothing reasonable about the applications they use or the way they work.