💾 Archived View for rosenzweig.io › gemlog › 2020-11-05-the-nefarious-isp.gmi captured on 2020-11-07 at 01:18:17. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

The Nefarious ISP

I do like TOFU more than I like meat [1]. But I'm still nervous around the Gemini security model, perhaps irrationally so. TOFU does not have the security guarantees of trust models like the GPG's, although the models like the web-of-trust are so unwieldy in practice they offer no meaningful improvement to the status quo. It's unfair to compare Gemini's model with GPG.

What is a fair comparison? Gemini replaces a small but growing subset of the web, mostly delivered over HTTPS nowadays with certificates signed by certificate authorities as opposed to a TOFU model. For our discussions, we can assume:

The owner of a domain can always procure a valid certificate for it (via LetsEncrypt)
Three letter agencies and other well-funded adversaries can also procure valid certificates (via non-technical attacks)
Casual adversaries cannot procure valid certificates.

By contrast, TOFU can be defeated by anyone that can attack the first connection made with a server, conducting a man-in-the-middle attack on the network, unless a VPN or preferably Tor is used for the connection. Alternatively if domain ownership could proven, e.g. via a special DNS record, the trust model would be no worse than HTTPS, since adversaries with control over DNS can already forge certificates.

Of course, a man-in-the-middle is needed to attack HTTPS as well. I've heard that BGP is enough of a mess that this might be easier than I expect, but in general, this limits adversaries against either HTTPS or Gemini connections to:

Local networks (offices, coffee shop wi-fi, and so forth)
Internet service providers
Governments (exerting control on the former)

Comparing the lists, we may set aside governments since either Gemini or HTTPS may be attacked with similar constraints. The meaningful risks are from the local network and the internet service provider. In particular, if they can attack the N'th connection, it's likely they can attack the first provided a users' browsing habits are sufficiently diverse and their network habits sufficiently homogeneous. In the pandemic era, these are safe assumptions for a home ISP.

So what can a nefarious ISP do, if they forge certificates to intercept encrypted Gemini traffic? There's not much to snoop on, Gemini is a primarily read-only, public web; most of the privacy issues are from the capsule itself leaking (via the IP address, which can be mapped back to a domain, and which the ISP has anyway). Unless/until Gemini gains POST support, or critical sites in the wild make use of client certificate authentication, the issue is not one of privacy per se.

But encryption also provides some integrity properties. A malicious ISP can *edit* the page *responses*, for instance injecting advertisements.

It's happened for HTTP.

It could happen for Gemini.

[1] I'm a vegetarian.