💾 Archived View for bbs.geminispace.org › s › Gemini › 2541 captured on 2023-07-22 at 17:06:32. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-07-10)
-=-=-=-=-=-=-
Has there ever been a discussion regarding use of DoH or DoT for name resolution in Gemini clients? I was just thinking that the emphasis in Geminispace on single or few-tenant capsules partially neuters the confidentiality of TLS given plaintext DNS… but I guess even with encrypted DNS queries a similar issue crops up with IP addresses.
2023-06-29 · 3 weeks ago
You can set up some operating systems to use DoT for everything, but there are still issues with privacy as you mentioned. Besides IP addresses the Client Hello (SNI) includes the server name in plaintext. A VPN is probably the most effective thing to use if you're concerned about privacy.
Oh right, I forgot about SNI. Wasn’t there a push at some point to move that until after key agreement?
My tin-foil-hattery has me browsing Gemini via Tor, so I was more thinking about the goal of TLS in Gemini more generally.
Yeah, I believe Mozilla (and maybe Cloudflare?) had made a push to encrypt the SNI field a few years ago and then it turned into ECH (Encrypted Client Hello). However, I just did a search on that it doesn't seem like there's been much progress in the last few years.
It does seem like a cool thing to integrate into Gemini servers and clients, but I doubt many of them are using their own implementation of the TLS handshake. As of yet there isn't even a standard to follow, though there is a draft:
— https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni
Yeah, I was just reading about ECH. It seems to involve a separate, pre-TLS-handshake handshake using keys fetched from DNS records. The whole use-TLS-to-encrypt-HTTP-to-encrypt-DNS-to-encrypt-pre-TLS-to-encrypt-TLS thing is a little mind-melting to me 😅
It's definitely not simple :)
2023-06-30 · 3 weeks ago