💾 Archived View for tozip.chickenkiller.com › 2022-06-30-bombo.gmi captured on 2023-03-20 at 17:48:26. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-07-16)

-=-=-=-=-=-=-

Bombo fork cert skipping, and TLS critique

Created 2022-06-30

I have a bombadillo fork here:

gitlab

I have recently enhanced it so that you can ignore expired certifi-

cates if you want. The default behaviour is to be strict (which is

the prior behaviour), but you can ride roughshod over all that by

setting:

     geminicerts=allow

in your ini file. It is all explained in the manpage.

This is necessary because bombadillo refuses to load bad certs. The

first Gemini capsule in existence:

     gemini://gemini.conman.org/

has a certificate that expired on 2022-06-24. The host is Sean, and

I presume he the father of Gemini. This is a worrying development

in light of the fact that his capsule says:

I'm no longer involved with the Gemini development, so all the

tests and tools that were here are have been removed. Why

doesn't matter. I've been told to shut up, sit down, and let

the adults in the room talk. You have been warned.

Ouch.

I am new to Gemini, so I don't know who the main players are, who

is now steering it, if anyone. Does this mean that Gemini is des-

tined to oblivion? Should we stick with it, perhaps migrate to

Spartan, or just throw in the towel and use Gopher? Thoughts are

appreciated.

For the foreseeable future I am happy with Gemini. I will concen-

trate on whatever protocol is the most popular among Gemini, Spar-

tan and gopher. I have found GMI files to be pleasant to write,

whilst I find gophermaps unpleasant. I am new to this game, so per-

haps the whole gophermap thing will grow on me if I try to figure

it out. If it still seems to be too difficult then it's easy enough

to stick to my current workflow of using my Perl script as a gem-

file to gophermap bridge. It's not perfect, but it's getting better

all the time.

I have also started playing around with Dave Bucklin 's groff

script:

Formatting

I have adapted it to help me generate gmi files from groff files. I

do admit that I really love to see text fully justified.

But onto more contentious issues.

The case against TLS

I'm firmly in the camp that TLS is a bad idea for Gemini. Here

goes:

• EMPIRICALLY, it is my view that TLS has not added value to the

protocol. If anything, it has taken away. I think this is justifi-

cation enough to call TLS a busted flush, notwithstanding any other

arguments that one might posit. However, I will continue my case.

• TOFU (Trust On First Use) seems to be "no security at all". I'm

not a security expert, though. Nor am I a system administrator. I

am a programmer, working mostly on applications and small scripts.

It strikes me that if you're going to trust the first certificate

that a site throws your way, then how do you know that the certifi-

cate has any merit in the first place? To put any faith in the cer-

tificate, you need ...

• THIRD PARTY VERIFICATION is even more complicated. The adminis-

tration, trust and cost escalates the endeavour to a whole new lev-

el.

• COMPLEXITY is increased both on the client- and server- side. You

need to generate the certs, and make sure they don't expire

(Sean!). Plus, if you jigger your system around, you've got to en-

sure that certs are properly migrated.

• YAGNI (You Ain't Gonna Need It): Does my recipe for split pea

soup really need encryption?

• FUGGIT. We're all hosting our capsules for fun. It's not supposed

to be proper work. We can make certs, break and extend them as re-

quired. What is Joe Consumer supposed to make of all this other

than "nah, it'll be fine" and carry on regardless?

Just my 2¢.