Makes sense. Would security be impacted if clients applied TOFU and refused to downgrade if they had previously established a secure connection? On Wed, Mar 10, 2021 at 9:33 AM Stephane Bortzmeyer <stephane@sources.org> wrote: > On Wed, Mar 10, 2021 at 09:18:14AM +0100, > Artur Honzawa <arturh@gmail.com> wrote > a message of 25 lines which said: > > > Add gemini-plaintext: schema for servers without TLS support. > > Each time you have two security levels (encrypted and unencrypted), > besides added complexity, you have the problem of downgrade attacks > <https://en.wikipedia.org/wiki/Downgrade_attack>. These attacks have > plagued all protocols with both an encrypted nd unencrypted version > (SMTP…), that's why HTTP/3 (and Gemini!) only have one version. > >
---
Previous in thread (2 of 6): 🗣️ Stephane Bortzmeyer (stephane (a) sources.org)
Next in thread (4 of 6): 🗣️ Björn Wärmedal (bjorn.warmedal (a) gmail.com)