💾 Archived View for rawtext.club › ~sloum › geminilist › 006883.gmi captured on 2023-09-28 at 16:37:07. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

Malicious Links

Chris Brannon chris at the-brannons.com

Sat Jul 10 12:15:03 BST 2021

- - - - - - - - - - - - - - - - - - - 

nothien at uber.space writes:

In Gemini, the restriction that information can only be sent to a server

by performing a request is considered a feature. However, this can

backfire by removing the need for user interaction, even when it is

absolutely necessary. Below, I provide an example to show why this

feature, combined with the existence of malicious links, can prevent (or

at least hinder) the sole use of TLS certificates in account-based sites

on Gemini.

I think having destructive operations (create, update, delete) runningover Gemini is probably a mistake to begin with, because it will leaddown the path of trying to build yet another application platform on topof yet another document delivery system. They tried that trick in the90s. Sadly it's still with us, and it's called the WWW.

Gemini eliminates a lot of the things that were tacked on to HTTP tohelp make it useful for applications. There's no distinction betweenidempotent and not-idempotent operations, no cookies, and so forth.

Here's version 0.9 of the HTTP spec:https://www.w3.org/Protocols/HTTP/AsImplemented.html

The family resemblance between Gemini and HTTP 0.9 is astonishing. TakeHTTP 0.9, evolve it just a smidge, add some features, change some names,mandate TLS, and VOILA, you get Gemini.

Consider a website, gemini://example.org, where users can set up

accounts. It uses TLS certificates for authentication and provides

important settings through the Gemini interface. For example, one can

delete their account by visiting a certain URL: perhaps

gemini://example.org/account/delete. Although this makes sense, you may

already begin to understand the problem at hand.

If you have a site that does something more complicated than servedocuments and satisfy search requests, that's starting to look a lotlike an application.

-- Chris BrannonFounder: Blind and Low Vision Unix Users Group (https://blvuug.org/).Personal website: (https://the-brannons.com/)Chat: IRC: teiresias on libera.chat and OFTC, XMPP: chris at chat.number89.net