💾 Archived View for tilde.pink › ~shardiame › 2021 › hidden_gemini.gmi captured on 2023-03-20 at 18:13:31. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

Hidden Gemini Capsules

I made this post on my web-based Blog about my new love of Gemini.

https://www.residualbits.org/posts/2021/02/why-gemini-hidden-capsules/

I won't repeat all the content here since, if you are reading this, you are already using Gemini and I assume already in the "believer" camp.

Why Gemini for Hidden Services?

I do, however, want to repost my thoughts on using Gemini as a Tor hidden service because I think the idea is pretty exciting!

Using the modern web over Tor is scary for several reasons:

• Modern web servers have a pretty huge attack surface
• Modern web browsers have a massive attack surface (JavaScript)
• It is hard to configure modern web browsers to avoid leaking data (WebRTC, JavaScript, etc.)

Gemini, on the other hand...

• Doesn't even have a mechanisms for the client to leak information to the server
• Doesn't have support for client-side executable content
• Has a much simpler client, and presumably smaller attack surface
• Has a much simple server, and presumable smaller attack surface

Getting it up and running

Setting up a Gemini-based Tor hidden service is fairly easy. These instructions are for Linux (Debian).

Start by ensuring you have a modern version of Tor running on your machine.

Instructions for installing Tor on Debian

Next, get your Gemini server of choice. I selected gmnisrv.

gmnisrv project

I'm going to gloss over setting up some of the Gemini server. Obviously, make sure it's running as an unprivileged user and chrooted / sandboxed as appropriate.

The first step is to configure Tor to expose your Gemini server as a new hidden service. To do this, add the following lines to `/etc/tor/torrc`:

HiddenServiceDir /var/lib/tor/hidden_gemini/
HiddenServicePort 1965 127.0.0.1:1965

And restart Tor.

$ sudo service tor restart

This will create a new set of keys for the hidden service in `/var/lib/tor/hidden_gemini`.

We need to get the hostname for our new hidden service.

$ cat /var/lib/tor/hidden_gemini/hostname
4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion

Now, we can setup our gmnisrv configuration file like so.

You'll need to make sure the user running `gmnisrv` has r/w to the configured certificate store and root.

Make sure to configure `gmnisrv` to listen only to 127.0.0.1 so you don't inadvertently expose your Gemini capsule to the clearnet.

listen=127.0.0.1:1965

[:tls]
# Path to store certificates on disk
store=/etc/ssl/gemini

# Optional details for new certificates
organization=Hidden Gemini

[4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion]
root=/var/gemini

Create some content:

echo "# Hello World" > /var/gemini/index.gmi

Start the server:

$ torify gmnisrv -C gmnisrv.config 
[gmnisrv] generating certificate for 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion
[gmnisrv] listening on 127.0.0.1:1965
[gmnisrv] gmnisrv started

And test it out with your client of choice (making sure that it's also going through Tor or the .onion won't resolve properly):

$ torify lagrange 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion

You should now be serving content via. Gemini as a Tor Hidden Service.

Back to Home