Gemini server logging formats and practices

It was thus said that the Great Dave Huseby once stated:
> On Tue, May 12, 2020, at 11:23 AM, solderpunk wrote:
> > I am understanding of and sympathetic towards both admins who want to
> > log IPs for debugging or abuse-detection purposes and towards those who
> > don't want to so they can (rightfully) boast about their severs' respect
> > for privacy.
> 
> Thanks. This is how the HTTP protocol conversation should have gone back
> in 1989.

  Back in 1989, the Internet as we know it was still five years away. 
Commerical activity was against the rules and the only people who were on
the Internet back then where largely academics (students, instructors,
professors) at universities and a few researchers at some select companies
(like IBM, Sun or Symbolics).  I would think that had you seriously
presented this argument at the time, people might have looked at you
strangely.  While people were still largely trustful of other users, the
Morris Worm of Nov 1988 was still quite recent and if not for logging, it
would have taken much longer to stop.

> > We could also define a half-way format, where a compact hash of the IP is
> > logged, so that unique visitor statistics can be calcualted for those
> > who want them, or e.g. malfunctioning bots can be spotted, but nothing.
> 
> I think it may help to consider that the IP address of a sender is
> personally identifiable information and is not the server operator's to
> collect without consent. 

  So a not-so-hypothetical situation here---if I were to put on my Gemini
server "I LOG ALL THE IPS!", honestly, how could I get your consent (or
non-consent)?  I can't get it from you prior to your connection, because I
don't know you will connect.  I can't get your concent afterwards because I
already have your IP.  And would such a disclaimer have to be added to every
page?  How can you know prior to requesting a Gemini page that the server
will log your IP address?

  I'm not under the delusion that security is possible on the Internet, nor
privacy.  I've always operated under the assumption that anything I put on a
public server, *even with access controls,* is public [1].

  Yes, I'm a bit antagonistic towards such goals because I don't believe
that one can have a truly anonymous exchange of data over *any* medium, but
unfortunately, I don't have such a proof, other than---you need two
endpoints who of of each other such that data can be exchanged, and how do
you prove your identities (or repudate an identity, such as "I am NOT a FBI
agent")?  I think you can exchange data anonymously but you won't know who
is actually on the other end, or you can know, but so will an observer.  I
don't think you can get both.

> Right now the only thing we can do is willfully
> blind our servers. Eventually though, if all goes according to plan,
> Gemini servers will be running on a mixnet of some kind 

  Really?  I don't recall seeing such a plan myself.  Solderpunk, are you
holding out on me?

> and they won't be
> able to track IP addresses because the source isn't mapped to anything in
> the real world. 

  I know a lot of people use TOR for anonimity, but I feel that it's still
not 100% secure and that a state actor (like, oh, I don't know, China or the
United States) can, with enough resources, do a correlation attack on both
ingress and egress TOR points.  I mean, the authorities *say* they caught
the Dread Pirate Roberts on one mistake he made a few years earlier, but I
feel that the mistake was found *after* they knew who we really was, because
the US threw enough resources (legal and otherwise) into finding him.

> Accessing permissioned resources (i.e. 6X response codes) doesn't
> necessarily imply correlation of the user. Certainly the user can present
> the same cryptographic credentials on subsequent requests but a better
> design is to allow for pair-wise credentials that are ephemeral to each
> session and potentially ephemeral to each request. Currently TLS doesn?t
> allow for this mode of operation. Something like CurveCP with
> decentralized verifiable credentials is a superior solution for
> uncorrelatable confidentiality.

  So go ahead and implement it if you think it's possible.  

> Anyway, back to logging. I don't think it is our place as server operators
> to collect IP addresses without consent since it isn't our data. 

  Technically, the IP address you use to access a server isn't yours either. 
It's the providers.  They are just letting you use it.

> It is an
> unfortunate legacy of the existing IP network layer that will hopefully be
> overcome soon. 

  TOR?  Content addressible stuff with names like 9a793f67-3df1-45e2-a3f5-4b3166800102? 
Yeah, I'm not sold on that stuff.

> I think the hashing of IP addresses for correlation is fine
> but I think it is fair to expect all server operators to notify their
> users that they are doing so.

  Again, how?

  -spc

[1]	A few days ago, I was informed of a bug in my server where you could
	by-pass the certificate check with a malformed, but still accepted,
	request.

---

Previous in thread (8 of 25): 🗣️ Dave Huseby (dwh (a) vi.rs)

Next in thread (10 of 25): 🗣️ Dave Huseby (dwh (a) vi.rs)

View entire thread.