💾 Archived View for tilde.cafe › ~stack › gemlog › 2022-02-17.attack_surface.gmi captured on 2023-07-22 at 17:26:40. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

What is the attack surface of Gemini?

Putting aside any discussions of specifics of the Gemini protocol, what is our concern about the security of the Gemini network? What evils are kept out by the walls we are building?

Again, I understand that some of us here are very protective of Gemini as it is -- myself included, believe it or not. I would also like to make sure that we don't screw up by being complacent or inflexible, or plain old foolish. It is important to keep an open discussion - even if some feel the subject is stupid, trite, or just does not align with one's ideas or goals. Lack of communication causes all kinds of disasters and unpleasantness.

And so, let us say someone wanted to do something bad here. What would it be? How can we protect ourselves? By no means an exhaustive list, just brainstorming, a couple of thoughts to be added to - perhaps by you.

Impersonation

Having a valid certificate is a pretty good way to authenticate a client or a server, but only in the sense of 'this is the same entity I've dealt with before'. This is actually not too bad, because an evildoer cannot casually pretend to be a bank or something, or MITM and impersonate an existant site. Or can they?

Certificates are just strings of bits, and can be stolen, moved, reinstalled; owners strongarmed; staff bribed or blackmailed. There are guides on Gemini for copying your certificates between machines, phones, and browsers. As far as I know, server certificates can be moved as well.

A long con can be set up far in advance. I can concoct gemChase and proxy requests to the real bank until I have enough subscribers to make it worth blowing my cover.

I could also set up a clone of warmedal's Antenna, that looks and acts exactly like the real thing. Some users may not know what the real URL should look like, and mine may look good enough. I can proxy the material at the real aggregator, while inserting subtle changes to ply my trade, whatever it may be -- gross or subtle.

New search engines are popping up. As Google proved, having a major search engine places you into the heart of the ecosystem, and allows you to do just about anything you want.

An aggregator controls the browsing habits of many users, myself included. An agregator turned evil can easily direct me to anywhere they want, and have me believe the site is real. I can even browse to the real site to read some pages, and then go to the evil version of the same site, and no alarms will ring even though I still think it's the same site!

If server certificates are short-lived and expire often, it is possible that the constant requests for a fresh TOFU with an updated certificates will cause a mental exhaustion - one will click on 'OK' and trust the certificate just because it happens all the time. Such a situation will be highly undesirable.

Ads and Monetization

I love that _it is not a thing_. Could it become a thing? If it does, it is likely to be a semi-voluntary, misguided introduction of such evil. Perhaps someone will post something about some charity they like and get paid for it if Gemini gets big enough. Maybe a banner for one of our geminaut's book will be heatedly discussed but not outright condmened - and what if it is condemned?

Remember Ethernet's 'unbreakable contracts?' They were broken pretty quickly, and the blockchain rolled back, reversing undesirable transactions as soon as it was convenient to the monied. Any objectors were ridiculed! The world was saved and those who insisted that losing money is not a reason to break trust were reminded that the casino never loses, one way or another.

I think if Gemini gets big enough there will be a call to reward content creators, a campaign, and it will sound good. Don't you want to reward your friends for providing you with such good reads? What's wrong with you, antisocial pig! Someone will make it sound like anyone resisting is a monster. Eventually the wall will break.

And again, an aggregator can cause havoc here, inserting small text ads into any apparently-good content, as linking to a cloned site will pass without an alarm. Maybe they will become successful enough to be an envy of others, providing a valuable service of proxying sites that are not always up, and selling some 'beneficial' advertising. Who knows. Others may rush to emulate, and before anyone can do much it will be game over.

Takeover

If Gemini ever becomes a valuable entity, it will be seized by one or more corporations. It will be googleized, twittered, and facebooked (ahem, metaversed I suppose) overnight.

What if google creates a Gemini proxy, for instance? Or adds gemini:// to its supported Chrome protocols? It would instantly be _the_ way to look at Gemini, with a couple of ads on the side. Game over. Maybe you will still be allowed to use Lagrange (which they may buy and make skyjake a rich slave) - but who cares about the 0.001% constituting the original Gemini cast of characters?

Data collection

Any server that gets connected to, knows and likely logs the IP addresses, client certificates presented, pages visited, and all that. If they wish to sell such data they can, and certificates provide almost absolute proof of visit (although browser fingerprints are pretty much that in http-land).

Traffic analysis by parties in the middle is readily available for Gemini communications. Details of requests and responses are veiled, but the act of connection and size of transfered data is noted. I do not know if TLS currently attempts to thwart attacks based on transfer size - it would be trivial today to build a database of all gemini pages and their sizes to identify exactly what page is being accessed with great accuracy.

DNS is still DNS. Nuff said.

Protection from opression

None is offered. The techniques listed above and others I can't even imagine exist that make all of Gemini insecure for looking at things men with guns tell you not to. Don't.

Financial Transactions

Well, assuming you have a connection with the real entity, you are reasonably safe. However, you need to make sure that is the case and you are not dealing with a fake third party. Social engineering and phishing are expected.

Hackage via browser or server

Any server presents an attack surface, and Gemini is no exception. Likewise, any client with a socket connection is an invitation to break into your system. Numerous attacks exist and will be invented in the future. We are currently experiencing a very simple URL path issue which allows casual inspection of files outside the server's perview. Others will follow.

That's all I can think of at the moment. I am sure there are others. What do you think?

index

home