💾 Archived View for stacksmith.flounder.online › gemlog › 2021-10-13.Gemini-Client-Architecture.gmi captured on 2023-05-30 at 20:41:26. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-07-16)

-=-=-=-=-=-=-

A Blueprint for Gemini Clients

Gemini appears simple. But many thing that appear simple at first are much more complex upon closer examination. Gemini is one of those things. In fact it is amazing how much complexity is hidden in the Gemini protocol.

I propose separating the network client from the application/UI. In the spirit of Unix's 'Do one thing and do it well', the network client can encapsulate TLS and the Gemini protocol, while the UI client can concentrate on dealing with layout, bookmarks, and the user interface.

The reason is to hand off TLS to a separate component, designed to do TLS-to-Gemini-Server work, and do it well. While TLS is widely supported through libraries, I propose that those who don't know what they are doing (and I include myself, currently) stay away from crypto. More below.

Network Component

A single network client can act as a proxy for multiple applications, acting as a proxy. It fetches TLS-encoded Gemini pages and provides them as plain text to the applications.

gmni does exactly that, and is a good start. It outputs plain text into stdout. I

It would be nice to have a proper server, a local plain-text gemini proxy for using within the secured local network.

UI Component

There are no plain-text clients right now, but I hope that the coders wise up. There is no reason to maintain TLS-related crap in your browser - divide and conquer...

I am putting together a simple GTK client in Common Lisp, and will definitely support gemini plain-text.

Rationale: Encapsulating TLS

TLS is the elephant in the room. It provides decent protection from spying and man-in-the-middle attacks. The TOFU approach (Trust On First Use) makes it possible for a determined adversary to insert herself into the ecosystem, since new connections are not verified at all.

TLS is pretty complicated and not like most crypto, the likelyhood of screwing up unless you _really_ know what you are doing is high. OpenSSL is a bit of a mess... There is OpenSSL with libcrypto and libssl, there is LibreSSL with libcrypto and libssl and a new libtls, and there is LibreTLS which forked from libtls...

Confusing Terminology of SSL libraries

There is another promising option: BearSSL

I have not seen a straightforward example or explanation of how to implement a TLS client with the Gemini flavor. There are a couple of applications (such as gmni) that can be reverse-engineered, but I don't have the umph right now (maybe ever?). As I stated before, TLS provides so little that spending more than 10 minutes on it seems like a waste, and knowing that I will screw something up makes me even less interested in touching it...