💾 Archived View for thfr.info › gemini › modified-trust-verify.gmi captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

➡️ Next capture (2022-01-08)

-=-=-=-=-=-=-

Trust and Verification for Gemini

A Proposal for an Enhanced Security Model for Gemini

Date: 2021-03-08

Author: thfr

TL;DR at the bottom of the document.

Background

Gemini is a new internet protocol that has seen increasing attention in 2020-2021. Besides the relative minimalism compared to the Web, the main other argument that it has going for it is that privacy/cryptography are included (and mandated) from inception:

"[Gemini] takes user privacy very seriously"

This is reflected in mandatory TLS version 1.2 (or higher) for all transactions (see section "4 TLS" in the specification). Gemini rejects the Certificate Authority(CA)-based approach of the Web. Instead, the current state of the specification (which is approaching finalization) advocates TOFU ("Trust On First Use").

There are good reasons to choose TOFU over CAs:

Checks involved in the CA model are costly.

Gemini prides itself of simplicity, such that a client can be "a feasible weekend programming project." TOFU strikes a reasonable balance between privacy of the connection and implementation simplicity.

The CA model is not invulnerable to compromise.

Despite these arguments, there continue to be voices critical of the TOFU approach.

This leads to alarm fatigue and "blindly trusting."

TLSA/DANE have been proposed, but from my understanding would add more connections and violate the goal simplicity and single connections per document.

TXT records complicate the server setup additionally.

Related Links:

Stephane's page contains a section with problems with TOFU in the current approach.

Drew DeVault's TOFU recommendations.

GitLab TLS server certificate trust discussion

"Clients can validate TLS connections however they like (including not at all)"

Bjorn's discussion of certificates

Concerns about TXT approach; DNS calls.

The Problem

To address this problem, I will first attempt a higher level summary:

It should be recognized that the threat model varies...

For many users, 99% of the pages they visit will be sufficiently protected by what TOFU offers - protection from eavesdropping, and some protection from an impersonating attacker _after_ the first connection to the server. But there are those pages, like for me my bank's login, where this would not be enough protection for me.

Therefore, I would argue for additional flexibility beyond "just TOFU".

One of the key comments in my reading that I agree with:

There seems to be this idea among client/browser developers that a certificate can be validated in and of itself, without out of band verification. This is a mistake [...]

Followed by another one that I will qualify:

We have no out of band way to verify [the fields of the certificate and the certificate itself] anyway.

(both quotes from this resource)

I would qualify this as follows: We have no out of band way to BULK verify ALL CONNECTIONS.

The logical question that has been insufficiently discussed in my opinion is therefore:

"How do you facilitate out-of-band verification IN THE SITUATIONS WHEN IT MATTERS?"

The OMEMO/Conversations Approach that Takes Out-of-Band Verification into Account

Thinking about the issue and reading about related topics, I came across a discussion of the approach of the OMEMO encryption. One criticism leveraged by OMEMO against TOFU is that the problem of manual trust decision is not appropriately resolved (and I would even argue that it isn't receiving any assistance).

TOFU seems to have a tendency to downgrade to the "Trust-Everything approach," as seen with the messaging apps Signal and WhatsApp (described in the following link), as well as simplification proposals for Gemini (in various links and emails).

The way that OMEMO/Conversations address this is with a concept they call "Blind Trust Before Verification." It combines the ease of trusting many devices (thereby avoiding warning fatigue) with the option to verify the fingerprint with hex string or QR code (often after initial use).

Of course, the use and threat model of a messaging app differ significantly from gemini browsers. Compared to messaging apps, use of a gemini browser can be expected to...

Discussion of the OMEMO/Conversations approach

OMEMO encryption specification

My Proposal - "Trust, but Verify (where appropriate)"

Based on this, I propose a three-tiered system with the following states that could for example be signaled with traffic signal colors:

One advantage of this is that no client would need to be rewritten. The existing TOFU approach already covers TRUSTED and UNTRUSTED scenarios. But clients could be incentivized to assist with out-of-band verification.

Out-of-band verification can be facilitated by the client and server operator as follows:

Random Art examples

Response Status Code 11 - SENSITIVE INPUT

Clients could restrict resources that return status code 11 to VERIFIED (green), or display additional (non-blocking?) warnings if accessing at only TRUSTED (yellow) level.

TL;DR

Gemini's current TOFU model for transaction protection has significant advantages, especially as it provides protection from eavesdropping and server impersonation after the first connection while keeping a low footprint. This document outlines how a system encouraging out-of-band verification of the server fingerprint can increase security where desired, while avoiding the technical burden and pitfalls of a Certificate Authority model.