💾 Archived View for bbs.geminispace.org › u › totroptof › 2574 captured on 2023-07-22 at 17:54:58. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-09-08)

-=-=-=-=-=-=-

Re: "Has there ever been a discussion regarding use of DoH or..."

Comment in: s/Gemini

Oh right, I forgot about SNI. Wasn’t there a push at some point to move that until after key agreement?

My tin-foil-hattery has me browsing Gemini via Tor, so I was more thinking about the goal of TLS in Gemini more generally.

🚀 totroptof

2023-06-29 · 3 weeks ago

3 Later Comments ↓

☀️ mike

Yeah, I believe Mozilla (and maybe Cloudflare?) had made a push to encrypt the SNI field a few years ago and then it turned into ECH (Encrypted Client Hello). However, I just did a search on that it doesn't seem like there's been much progress in the last few years.

It does seem like a cool thing to integrate into Gemini servers and clients, but I doubt many of them are using their own implementation of the TLS handshake. As of yet there isn't even a standard to follow, though there is a draft:

— https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni

🚀 totroptof

Yeah, I was just reading about ECH. It seems to involve a separate, pre-TLS-handshake handshake using keys fetched from DNS records. The whole use-TLS-to-encrypt-HTTP-to-encrypt-DNS-to-encrypt-pre-TLS-to-encrypt-TLS thing is a little mind-melting to me 😅

☀️ mike

It's definitely not simple :)

2023-06-30 · 3 weeks ago

Original Post

🌒 s/Gemini

Has there ever been a discussion regarding use of DoH or DoT for name resolution in Gemini clients? I was just thinking that the emphasis in Geminispace on single or few-tenant capsules partially neuters the confidentiality of TLS given plaintext DNS… but I guess even with encrypted DNS queries a similar issue crops up with IP addresses.

💬 totroptof · 5 comments · 2023-06-29 · 3 weeks ago