💾 Archived View for rawtext.club › ~sloum › geminilist › 006028.gmi captured on 2023-09-28 at 16:56:54. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Phil Leblanc philanc at gmail.com
Tue Mar 9 17:36:52 GMT 2021
- - - - - - - - - - - - - - - - - - -
On Tue, Mar 9, 2021 at 7:58 AM Stephane Bortzmeyer <stephane at sources.org> wrote:
On Mon, Mar 08, 2021 at 11:35:19PM +0100,
nothien at uber.space <nothien at uber.space> wrote
Firstly, most Gemini documents are (intentionally) pretty tiny,
fitting within maybe 1 or 2 KB.
Fact-checking
<gemini://gemini.bortzmeyer.org/software/lupa/stats.gmi>:
50% of the Gemtext resources are 1,099 bytes or less
Your stats.gmi page is a great resource for this issue (among others).Very cool! Thanks for making it available.
Length-analysis prevention is not Gemini's job, it's the job of TLS.
TLS cannot do it alone, and this is why it is opt-in. Padding without
knowledge of the application is dangerous.
Given your current stats, the record padding value I suggestedpreviously (4,096) would be enough to almost eliminate the risk formore than 80% of pages and significantly reduce the risk for more than90% of pages. -- and we can agree that the one 903,321 bytes document_will_ probably be catched whatever the record padding :-)
In conclusion, it's not Gemini's responsibility to handle these kinds of
attacks.
I disagree.
I agree with you disagreeing! :-) but I think Nothien means it is notthe responsibility of the Gemini _protocol_ to handle these attacks.It should rather be the responsibility of Gemini capsule owners toconfigure reasonable record padding for the typical documents theypublish.
So I think record padding belongs more to a best practices documentthan to the spec.
Just writing this, I am wondering... with TLS 1.3, can the _client_request record padding for the server response? I will check. If itcan, at least a client could take the initiative and protect itselfeven if the server does no padding,
Cheers
Phil