You could add crypto to gopher, but I think it's a hack

I received the following email today:

From: Trevor Clarke <XXXXX­XXXXX­XXXXX­XXX>
To: sean@conman.org
Subject: Secure gopher comment
Date: Tue, 28 Sep 2021 16:21:10 -0400
> I just read your post http://boston.conman.org/2019/03/31.1 [1]
About the difficultly of adding TLS (Transport Layer Security) to gopher. I don't think it's as bleak as you suggest. A client supporting secure gopher simply sends a TLS client hello packet when first connecting to the server. If it receives nothing or receives something that is not a valid server hello it drops the connection and switches to regular gopher for that server. To minimize the number of failed attempts the client can cache the type of server during a session or persist the status for a period of time before trying again.

As I wrote back, this is already being done by clients as can be seen from my gopher logs:

Sep 28 09:10:44 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 09:10:44 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Gopher:Src:port70/handlers/" bytes=505
Sep 28 16:44:41 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 16:44:41 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Phlog:2004" bytes=533
Sep 28 18:04:43 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 18:04:43 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Bible:" bytes=10647

There's also a trick that servers can do to “seamlessly” support TLS—peek at the initial packet for the start of a TLS connection, and if it doesn't match, then fall back to the normal TCP (Transmission Control Protocol) routine. There's also the posibility of a downgrade attack to prevent the client from successfully using TLS.

I'm not a fan of either of these approaches. On the client side, it makes (potentially annoying) extra requests that for the most part, will be a waste of time as not many gopher servers (to my knowledge) support TLS. And on the server side, it's a hack to peek the initial packet of data (it can be done on some systems, but I don't know if all TCP stacks support peeking at the data before reading the data).

I also mentioned that one of the major complaints about the Gemini protocol [2], a somewhat reimagining of gopher but with mandatory TLS, is its use of TLS. Go figure—there are people who want to add TLS to gopher, and people who want to remove TLS from Gemini.

[1] http://boston.conman.org/2019/03/31.1

[2] https://gemini.circumlunar.space/

Gemini Mention this post

Contact the author