My wife is working on a report or something, and I’m reading about Gemini.
There’s a pull request to add Gemini support to curl.
New Protocol: Gemini – #11170
Today I saw that Daniel Stenberg, the author of curl, wrote a blog post commenting on the protocol.
This renewed interest made me take a fresh tour through the current Gemini protocol spec and I decided to write down some observations for you. – The Gemini protocol seen by this HTTP client person
The Gemini protocol seen by this HTTP client person
Based on my own experience writing various Gemini clients and servers, I think Stenberg makes some good points regarding the implementation Gemini programs.
What does UTF-8 and URLs actually mean? Internationalized Resource Identifier (IRI), punycode (but for hostnames only), and so on. It’s tricky to get right and easy to just treat the URLs as ASCII with punycode and percent encoding. If you’re in an ISO Latin-1 locale and pasting an IRI on the command line, the tool needs to decode the bytes from the locale and encode as UTF-8, for example. You don’t find that in the spec. I think it’s implied. Back when the mailing list still existed, such questions would cause long discussions that I found tiring. So here we are.
Since I trust that Firefox knows how to handle international domain names, I started by pointing it at “https://mélanobombus:1965/” – and it worked. 😁 Using my super simple command line client did not work. When I asked it to connect to “gemini://mélanobombus/” it broke with an ugly error message. When I asked Elpher to connect to the same address, it didn’t work either: timeout. Lagrange also reported a network failure. – 2020-12-10 International domain names and Phoebe
2020-12-10 International domain names and Phoebe
In practice, I didn’t mind the size limitation for URLs. I also didn’t use charactersets that use four bytes per character. And what if each of these bytes is then percent encoded or punycoded? How many characters are left, then? Such things should be spelled out.
Trust on First Use (TOFU) for certificates is a fine idea, I think, because I don’t see much man in the middle attacks in real life. The only ones I see on a regular basis are corporate networks spying on their users, and I hate those. What I hate is that I think TOFU means we don’t have to check whether host names match the certificate since we’re trusting the certificate as-is. But no, most implementations end up doing both. Another small complication that isn’t mentioned in the spec.
That is, a Gemini client visits a Gemini server for the first time, and if it doesn’t know the certificate, it silently stores a fingerprint of said certificate. The next time the Gemini client visits the same Gemini server, the client verifies that the fingerprint still matches. If it does, then nobody has been meddling with the encryption. If it has changed, a warning is usually shown to the user. – 2020-07-20 Does a Gemini certificate need a Common Name matching the domain?
2020-07-20 Does a Gemini certificate need a Common Name matching the domain?
As for the lack of POST: Very early on I designed various solutions and the one that I stuck with is the Titan protocol. It’s similar to Gemini: TLS encrypted, TOFU, and then it basically allows clients to send a long piece of text to the server. The Lagrange client has it implemented. You can use the Gemini+Titan combo to read+edit my wiki, for example. It’s a bit weird at first, but quick if you have good client support. Here’s a video of me using an extension to the Gopher and Gemini client Elpher in Emacs:
It’s a wiki, which means that people can edit the pages without needing an account. All they need is a client that speaks both Gemini and Titan, and the password. The default password is “hello”. 😃 – 2020-06-27 Gemini Wiki
Stenberg also says that Gemini is “quite similar to going back to GOPHER.” I disagree with that. Gopher maps are a pain. No TLS for Gopher is not cool. I think from a visual perspective it depends on the client. There’s Lagrange which looks beautiful.
Thrig wrote a post in reply, with plenty of screenshots.
“Designed by committee” isn’t exactly a ringing endorsement; it is not hard to find baroquely complicated protocols, emissions of some expert committee or the other--and it shows. – The HTTP client person as seen from Gemini
The HTTP client person as seen from Gemini
That’s what I’m going to read next. 😊
#Gemini
(Please contact me if you want to remove your comment.)
⁂
As far as UTF-8 URLs go, the disagreement came down to punycode—do you convert an international domain name to punycode before DNS lookup or not? I said yes, someone else (I’m too lazy to look it up now) said “hell no!” There was no common ground between the two camps. Or at least, not one before the list blew up.
As far as TLS and gopher, I personally don’t think it’s worth adding it (https://boston.conman.org/2019/03/31.1) as the solutions either clutter the logs with bogus requests, or a very hacky solution that can lead to an attack to prevent TLS from being used at all.
https://boston.conman.org/2019/03/31.1
– Sean Conner 2023-06-02 23:46 UTC
---
Now that I have a bit of Gemini experience with TLS, I’m no longer sure I really want TLS for Gopher. Maybe insecure TLS would be what I’d settle on? No protection against man in the middle attacks but protection against snooping in transit?
– Alex 2023-06-03 08:57 UTC
---
I guess as far as my implementation ideas go, what I liked best is “TLS mode” for the client. Switch to a “secure configuration” and from then on the client only makes TLS secured connections. What this means is that Gopher and Gopher Secure cannot link to each other. Small loss, perhaps?
Anyway, I think this also shows my Gopher maps are not cool. Gemini really solved that with URLs and MIME types.
– Alex 2023-06-03 09:00 UTC