💾 Archived View for rawtext.club › ~sloum › geminilist › 000575.gmi captured on 2020-11-07 at 01:35:40. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Gemini server logging formats and practices

Sean Conner sean at conman.org
Wed May 13 04:06:30 BST 2020
- - - - - - - - - - - - - - - - - - - ```

It was thus said that the Great Dave Huseby once stated:
> On Tue, May 12, 2020, at 11:23 AM, solderpunk wrote:
> 
> I am understanding of and sympathetic towards both admins who want to
> 
> log IPs for debugging or abuse-detection purposes and towards those who
> 
> don't want to so they can (rightfully) boast about their severs' respect
> 
> for privacy.
> 
> Thanks. This is how the HTTP protocol conversation should have gone back
> in 1989.

  Back in 1989, the Internet as we know it was still five years away. Commerical activity was against the rules and the only people who were onthe Internet back then where largely academics (students, instructors,professors) at universities and a few researchers at some select companies(like IBM, Sun or Symbolics).  I would think that had you seriouslypresented this argument at the time, people might have looked at youstrangely.  While people were still largely trustful of other users, theMorris Worm of Nov 1988 was still quite recent and if not for logging, itwould have taken much longer to stop.

> 
> We could also define a half-way format, where a compact hash of the IP is
> 
> logged, so that unique visitor statistics can be calcualted for those
> 
> who want them, or e.g. malfunctioning bots can be spotted, but nothing.
> 
> I think it may help to consider that the IP address of a sender is
> personally identifiable information and is not the server operator's to
> collect without consent. 

  So a not-so-hypothetical situation here---if I were to put on my Geminiserver "I LOG ALL THE IPS!", honestly, how could I get your consent (ornon-consent)?  I can't get it from you prior to your connection, because Idon't know you will connect.  I can't get your concent afterwards because Ialready have your IP.  And would such a disclaimer have to be added to everypage?  How can you know prior to requesting a Gemini page that the serverwill log your IP address?

  I'm not under the delusion that security is possible on the Internet, norprivacy.  I've always operated under the assumption that anything I put on apublic server, *even with access controls,* is public [1].

  Yes, I'm a bit antagonistic towards such goals because I don't believethat one can have a truly anonymous exchange of data over *any* medium, butunfortunately, I don't have such a proof, other than---you need twoendpoints who of of each other such that data can be exchanged, and how doyou prove your identities (or repudate an identity, such as "I am NOT a FBIagent")?  I think you can exchange data anonymously but you won't know whois actually on the other end, or you can know, but so will an observer.  Idon't think you can get both.

> Right now the only thing we can do is willfully
> blind our servers. Eventually though, if all goes according to plan,
> Gemini servers will be running on a mixnet of some kind 

  Really?  I don't recall seeing such a plan myself.  Solderpunk, are youholding out on me?

> and they won't be
> able to track IP addresses because the source isn't mapped to anything in
> the real world. 

  I know a lot of people use TOR for anonimity, but I feel that it's stillnot 100% secure and that a state actor (like, oh, I don't know, China or theUnited States) can, with enough resources, do a correlation attack on bothingress and egress TOR points.  I mean, the authorities *say* they caughtthe Dread Pirate Roberts on one mistake he made a few years earlier, but Ifeel that the mistake was found *after* they knew who we really was, becausethe US threw enough resources (legal and otherwise) into finding him.

> Accessing permissioned resources (i.e. 6X response codes) doesn't
> necessarily imply correlation of the user. Certainly the user can present
> the same cryptographic credentials on subsequent requests but a better
> design is to allow for pair-wise credentials that are ephemeral to each
> session and potentially ephemeral to each request. Currently TLS doesn’t
> allow for this mode of operation. Something like CurveCP with
> decentralized verifiable credentials is a superior solution for
> uncorrelatable confidentiality.

  So go ahead and implement it if you think it's possible.  

> Anyway, back to logging. I don't think it is our place as server operators
> to collect IP addresses without consent since it isn't our data. 

  Technically, the IP address you use to access a server isn't yours either. It's the providers.  They are just letting you use it.

> It is an
> unfortunate legacy of the existing IP network layer that will hopefully be
> overcome soon. 

  TOR?  Content addressible stuff with names like 9a793f67-3df1-45e2-a3f5-4b3166800102? Yeah, I'm not sold on that stuff.

> I think the hashing of IP addresses for correlation is fine
> but I think it is fair to expect all server operators to notify their
> users that they are doing so.

  Again, how?

  -spc

[1]	A few days ago, I was informed of a bug in my server where you could	by-pass the certificate check with a malformed, but still accepted,	request.