💾 Archived View for gemini.ctrl-c.club › ~stack › gemlog › 2022-02-13.notls.gmi captured on 2022-03-01 at 15:14:19. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2022-05-22)

-=-=-=-=-=-=-

A Call for a Gemini Without TLS

Opinion: the TLS encryption used in Gemini provides very little security, and should be removed. Some questions and answers:

What is TLS?

TLS is a key-exchange and an end-to-end encryption scheme used by HTTPS and Gemini clients and servers.

What does it accomplish?

What is wrong with TLS?

Encrypting data is pointless:

Is tracking still possible? (Yes it is)

https://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/

Questionable security or centralization?

Mass-market encryption is likely compromised.

It is almost certain that widely-accepted and used cryptography is compromised and is not a threat to governments (otherwise we would see a serious push for other technologies which include backdoors). In fact it is very likely that NSA and other such players are actively introducing and supporting certain encryption technologies. Some even believe that bitcoin is an NSA creation, as the creator was never revealed, and bitcoin is _the most traceable_ method of transacting.

TLS assures 100% lack of deniability

Questionable authentication

Complexity, risk and sluggishness

What can be used instead of TLS?

But isn't it in the spec?

The spec, as I mentioned elsewhere, is really a manifesto. Gemini does not really need TLS to remain Gemini, just like it does not require gemtext.

To Summarize

TLS goes entirely against the grain of the core concepts of Gemini - simplicity, succinctness, ease of implementation, and the desire to rid ourselves of the stupidity of the mainweb.

It adds unnecessary bulk, complexity, delays, and a 'black box' that is not comprehensible, while offering pretty much nothing in return -- and a false sense of security for those who least understand the implications.

I am really surprised that everyone just went along with this without giving it much thought.

What can you do?

Even if you think I am a tactless moron, please consider that TLS may not be necessary, and consider the suggestions below:

Consider switching to Spartan.

Spartan is basically Gemini without TLS (with a few enhancements and simplifications). It is Gemini the way God had intended, without the 'cough, never mind that black-box, cough' trickery. Your gemtext content may be served over Spartan - in parallel with your Gemini server.

Writing a toy Spartan client is a joy (and can be done in an evening) - you don't need to deal with any black magic - open a socket and get the file.

Why are you sabotaging Gemini? Are you a troll?

I am not, and no. I love the Gemini community, the (illusion of) simplicity, the terseness and quietness of Gemini. I've been an active contributor to the community with my games.

I think it is important to have an open conversation and think critically about technology and the problems it solves -- and introduces -- regularly and repeatedly. And if something is unnecessary, excise it as soon as possible because things like that grow as a cancer, and after a while it is no longer possible.

In short, I am invested, and I want Gemini to be there. Done right, if possible.

Is there a chance this will happen?

No. Being reasonable is hardly a driving factor for any technology or group.

index

home