💾 Archived View for gemi.dev › gemini-mailing-list › 000045.gmi captured on 2023-11-04 at 12:20:34. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
So I've taken Sean Conner advice and implemented a proof-of-concept
client and server (only the protocol, transport and crypto part, not
the actual file serving) in Python by replacing TLS with NaCL /
`libsodium`.
The code is available on GitHub:
https://github.com/cipriancraciun/gemini-experiments/blob/e4bbeae01a8e7
d2e393ab93317890f5c7f511b09/nacl/sources
The sources are structured as such:
On 2/29/20 8:31 PM, Ciprian Dorin Craciun wrote: > So I've taken Sean Conner advice and implemented a proof-of-concept > client and server (only the protocol, transport and crypto part, not > the actual file serving) in Python by replacing TLS with NaCL / > `libsodium`. > > The code is available on GitHub: > > https://github.com/cipriancraciun/gemini-experiments/blob/e4bbeae01a 8e7d2e393ab93317890f5c7f511b09/nacl/sources Holy crap. You wrote this in the time it took me to draft a response to your *first* email. :-) I just wanted to say: I like your ideas and applaud this tangible addition to the ecosystem. I would personally love it something simpler than TLS could be used for Gemini. I love the passion I've seen in the mailing list - it's gratifying to see others who care deeply about the same things I do. My hat's off to all of the pioneers who have written clients, servers, and content for Gemini so far. Okay, back to lurking. (I swear I'll have something substantive to add in the future.) -ratfactor
It was thus said that the Great Ciprian Dorin Craciun once stated: > So I've taken Sean Conner advice and implemented a proof-of-concept > client and server (only the protocol, transport and crypto part, not > the actual file serving) in Python by replacing TLS with NaCL / > `libsodium`. Wow. For that I thank you. Now there's something to actually look at. I do have a few questions about the code as I'm looking over it. Prepare for lots of questions. I had them for solderpunk as well. 1) I assume the 32-bit length is sent bigendian (if I understand the argument to struct.pack() and struct.unpack() correctly---I'm not a Python programmer). Why big endian? 99% of all computers on the Internet today is little endian (x86) so it seems to me that sending it little endian would be better. [1][2] 2) As I feared, this requires a more complicated implementation. solderpunk wanted a protocol that could be implemented quickly and while TLS might be a bad protocol, it at least has the feature of being widely available and largly transparent if done correctly (like libtls, part of LibreSSL, does). It handles not only the crypo portion, but the framing of data (invisibly to the rest of the application). To tell the truth, I don't know the actual bytes of the TLS portion of the protcol as that is handled for me. In fact, that's part of why HTTPS was so successful---it doesn't change the HTTP protocol at all. It just slips in between TCP and HTTP and is transparent to both. [ snip ] > I hope I haven't made too many mistakes, and I hope this is useful as > a proof-of-concept that one could replace TLS for such simpler > protocols, I know that given the self-sign certificate nature of Gemini decreases security a bit (TOFU and all that), not *all* Gemini servers are using self-signed certificates. There's at least two that I know of that use actual signed certificates (from Let's Encrypt), and for my own server, I use a signed certificate from my own CA (technically, the certificate isn't self-signed, but the CA is self-certificed). With a signed certificate, you get *some* assurance that the server you are talking to is the server you expect to be talking to, but it's still, technically, subject to a MITM attack (either at the corporate level, or at the state level---it's way less likely to come from some random hacker). What's still missing from your proof-of-concept though, is support for client certificates. Yes, you have the "transient" stuff working, but for my Gemini server, I have a second that is unavailable unless you have a signed certificate from me. Send in a certificate request, I generate the certificate and send that back, and you can access the sooperseecret portion of my site [3] (no one has done that yet; then again, I haven't exactly advertised that I would do that either). This way, I can control who has access to what on my Gemini server in a mostly stateless way (I don't have to maintain a database of userids and passwords, just pass out certificates which can be revoked if needed, and will expire after a period of my choosing). Yes, that complicated *my* end, and may complicate a client that wants to support that, but it doesn't complicate the *protocol* at all---TLS provides all the machinery for that. I'm still going over your code, but I'm not sure I can run it. For one, I don't know which version of Python (I know there are major differences between 2 and 3 and I think I only have 2.something---I don't program in Python) and I don't have libsodium install (but I do have NaCL). But again, I thank you for doing this work and giving us something tangible to look at and run. -spc [1] Okay, I happen to agree with the big endian choice, but that's because I'm biased---binary based Internet protocols are all big endian, and I have a soft spot for the Motorola CPUs of past. I've never been a fan of little endian personally. [2] I'm also asking to reflect back to you the same argument you presented with using CRLF. Your big endian choice seems to be "because that's how all Internet protocols do it". [3] gemini://gemini.conman.org/conman-labs-private/
On 3/1/2020 4:18 PM, Sean Conner wrote: > It was thus said that the Great Ciprian Dorin Craciun once stated: >> So I've taken Sean Conner advice and implemented a proof-of-concept >> client and server (only the protocol, transport and crypto part, not >> the actual file serving) in Python by replacing TLS with NaCL / >> `libsodium`. > > Wow. For that I thank you. Now there's something to actually look at. I > do have a few questions about the code as I'm looking over it. Prepare for > lots of questions. I had them for solderpunk as well. > > 1) I assume the 32-bit length is sent bigendian (if I understand the > argument to struct.pack() and struct.unpack() correctly---I'm not a Python > programmer). Why big endian? 99% of all computers on the Internet today is > little endian (x86) so it seems to me that sending it little endian would be > better. [1][2] > > 2) As I feared, this requires a more complicated implementation. solderpunk > wanted a protocol that could be implemented quickly and while TLS might be a > bad protocol, it at least has the feature of being widely available and > largly transparent if done correctly (like libtls, part of LibreSSL, does). um.... <smile>, Sean I have to call attention here to the fact that such an implementation of security isn't actually as simple as you portray in that statement, lolz... For example, just a couple of days ago you touted the libtls that you [were able to] took advantage of, as a result of developing GLV-1.12556 being written in Lua ;) In fact, you posted a tiny snippet of text showing how simple it was (in that language), lending in part, to the simplicity of a Gemini server being possible as a result of a weekend coding and beer session. On the other hand, I recall quite clearly, Michaels encyclopedic lamentations on the vagaries of attempting to acheive successful results in Python, with regards to TLS and client/transient certs, due to the horrendous state of Python libs in that regard :) Just sayin', yes, it's trivial because you chose (whether by design or inadvertantly) a framework upon which to support TLS, while in practice, the implementation for others isn't necessarily so straight-forward ;) > In fact, that's part of why HTTPS was so successful---it doesn't change > the HTTP protocol at all. It just slips in between TCP and HTTP and is > transparent to both. Again, you chose something other than Python3 to do this with :) > I know that given the self-sign certificate nature of Gemini decreases > security a bit (TOFU and all that), not *all* Gemini servers are using > self-signed certificates. There's at least two that I know of that use > actual signed certificates (from Let's Encrypt), and for my own server, I My servers are among those :) > What's still missing from your proof-of-concept though, is support for > client certificates. Yes, you have the "transient" stuff working, but for > my Gemini server, I have a second that is unavailable unless you have a > signed certificate from me. Send in a certificate request, I generate the > certificate and send that back, and you can access the sooperseecret portion > of my site [3] (no one has done that yet; then again, I haven't exactly > advertised that I would do that either). That's really kewl, but it brings to mind the notion (at least to me), that we may be painting ourselves into a corner by specifying a method of encryption in canon that precludes the possibility for allowing other methods, emerging or otherwise, that might *date* the Gemini protocol's utility moving forward. Question: Isn't it (even if non-trivial) possible, to account for other methods of encryption by the listening daemon, some servers being able to secure communications by one or another method if the upcoming clients can also support those technologies? I'm just thinking that security is a moving, and mostly reactive, rather than proactive target, but allowing for the adoption, in a proactive way, for the inclusion of developing encryption methods might be a good thing to ensure that something like Gemini isn't relegated to the boneyard when earlier methods two decades and more are eventually deprecated (Like true SSL was). > I'm still going over your code, but I'm not sure I can run it. For one, I I have no idea whether Ciprian's proof of concept can translate into viable solutions, but I'm confident that if anyone can competently evaluate the pros and cons of what he's suggesting - it is you my friend :) -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
On Mon, Mar 2, 2020 at 2:18 AM Sean Conner <sean at conman.org> wrote: > 1) I assume the 32-bit length is sent bigendian (if I understand the > argument to struct.pack() and struct.unpack() correctly---I'm not a Python > programmer). Why big endian? 99% of all computers on the Internet today is > little endian (x86) so it seems to me that sending it little endian would be > better. [1][2] > > [1] Okay, I happen to agree with the big endian choice, but that's > because I'm biased---binary based Internet protocols are all big > endian, and I have a soft spot for the Motorola CPUs of past. I've > never been a fan of little endian personally. > > [2] I'm also asking to reflect back to you the same argument you > presented with using CRLF. Your big endian choice seems to be > "because that's how all Internet protocols do it". There are a couple of reasons I like big endian for protocols:
On Mon, Mar 2, 2020 at 10:36 AM Bradley D. Thornton <Bradley at northtech.us> wrote: > Question: Isn't it (even if non-trivial) possible, to account for other > methods of encryption by the listening daemon, some servers being able > to secure communications by one or another method if the upcoming > clients can also support those technologies? This is exactly what happened with SSL (at least two versions) which coexisted alongside with TLSv1.0, which then together coexisted alongside with TLSv1.1, which then all together coexisted with TLSv1.2, which now all coexist with TLSv1.3; and although everybody screams that anything under TLSv1.2 is "broken", we still haven't dropped support for TLSv1.1... :) My take is having "options" is good for "complex" things, however for simple things, like `gemini://` strives to be, having one "good-enough but simple" solution is the best. So if I were to vote I would say:
It was thus said that the Great Bradley D. Thornton once stated: > On 3/1/2020 4:18 PM, Sean Conner wrote: > > > > 2) As I feared, this requires a more complicated implementation. solderpunk > > wanted a protocol that could be implemented quickly and while TLS might be a > > bad protocol, it at least has the feature of being widely available and > > largly transparent if done correctly (like libtls, part of LibreSSL, does). > > um.... <smile>, Sean I have to call attention here to the fact that such > an implementation of security isn't actually as simple as you portray in > that statement, lolz... > > For example, just a couple of days ago you touted the libtls that you > [were able to] took advantage of, as a result of developing GLV-1.12556 > being written in Lua ;) > > In fact, you posted a tiny snippet of text showing how simple it was (in > that language), lending in part, to the simplicity of a Gemini server > being possible as a result of a weekend coding and beer session. > > On the other hand, I recall quite clearly, Michaels encyclopedic > lamentations on the vagaries of attempting to acheive successful results > in Python, with regards to TLS and client/transient certs, due to the > horrendous state of Python libs in that regard :) Do you have any links to this? I don't remember seeing any of that, and I'd be interested in reading it. > Just sayin', yes, it's trivial because you chose (whether by design or > inadvertantly) a framework upon which to support TLS, while in practice, > the implementation for others isn't necessarily so straight-forward ;) By design. I knew libtls, written by the OpenBSD people, was designed to make using TLS simple to use, and hard to use incorrectly. Since my prerred language is Lua, it was a simple matter to wrap up libtls for use in Lua and a moderate amount of work to get it working within a network event driver. I happen to agree with the OpenBSD guys that *using* crypto is too hard. I'm just sad that libtls doesn't seem to get much use. But it could be that I haven't looked hard enough. I don't know. > Question: Isn't it (even if non-trivial) possible, to account for other > methods of encryption by the listening daemon, some servers being able > to secure communications by one or another method if the upcoming > clients can also support those technologies? In general? Yes. In practice, with current implementations of TLS? I don't know, I haven't looked into it. But to remind you, I'm not the one who developed the Gemini protocol. -spc
It was thus said that the Great Ciprian Dorin Craciun once stated: > On Mon, Mar 2, 2020 at 10:36 AM Bradley D. Thornton > <Bradley at northtech.us> wrote: > > Question: Isn't it (even if non-trivial) possible, to account for other > > methods of encryption by the listening daemon, some servers being able > > to secure communications by one or another method if the upcoming > > clients can also support those technologies? > > > This is exactly what happened with SSL (at least two versions) which > coexisted alongside with TLSv1.0, which then together coexisted > alongside with TLSv1.1, which then all together coexisted with > TLSv1.2, which now all coexist with TLSv1.3; and although everybody > screams that anything under TLSv1.2 is "broken", we still haven't > dropped support for TLSv1.1... :) Because dropping support would make too many people scream. As I told a VP of the company I work for, "it doesn't make sense for our department to have two week sprints when our customer [the Monopolistic Phone Company] has two year sprints!" It took five years just to get a flag we needed added to a message. [1] -spc [1] We were able to work around it, but it wasn't pretty.
I think I'm going to bow out of the encryption talk. It's clear to me that I feel TLS is good enougn, and Ciprian doesn't (or would rather have alternatives). I'm not the creator of the Gemini protocol, so I don't have the authority to make drastic changes to the protocol. I've heard the admonintion to not roll your own crypto, and I believe that it extends to protocols as well. And as bad and complex as TLS might be, it's a standard, there are real cryptographers trying to break it, and there are multiple implementations of it available: OpenSSL and LibreSSL are two, but off the top of my head, there are also bearSSL, PolarSSL, boringSSL. and GNUTLS. And in a sense, that makes it easier to use, since these implementations *exit*. This new protocol Ciprian is designing hasn't been vetted, and I'm unaware of anyone on this list that is expert enough in crypto to fully examine it. And Ciprian wants to design a new secure protocol ... Anyway, a few comments about this message. It was thus said that the Great Ciprian Dorin Craciun once stated: > On Mon, Mar 2, 2020 at 2:18 AM Sean Conner <sean at conman.org> wrote: > > 1) I assume the 32-bit length is sent bigendian (if I understand the > > argument to struct.pack() and struct.unpack() correctly---I'm not a Python > > programmer). Why big endian? 99% of all computers on the Internet today is > > little endian (x86) so it seems to me that sending it little endian would be > > better. [1][2] > > > > [1] Okay, I happen to agree with the big endian choice, but that's > > because I'm biased---binary based Internet protocols are all big > > endian, and I have a soft spot for the Motorola CPUs of past. I've > > never been a fan of little endian personally. > > > > [2] I'm also asking to reflect back to you the same argument you > > presented with using CRLF. Your big endian choice seems to be > > "because that's how all Internet protocols do it". > > There are a couple of reasons I like big endian for protocols: > > * it is logical; for example although all integers are stored in > little endian on x86, when we write numbers in code we use "big > endian"; We use the Arabic numerals these days. It's interesting to note that the value three hundred and twenty-one is written in the order of 321 in Arabic (much like in Western countries) but Arabic itself is written right-to-left, so one could say they write their numbers in little endian format. You're just expressing a western bias---logic has nothing to do with it 8-P > * (and most importantly) when dumping a protocol capture there are no > "surprises", I read the number left to right, and if I just take the > bytes in hex and concatenate them I can get the constant, i.e. `[01 02 > 03 04]` is just `0x01020304`; And it'd be backwards for Arabic programmers. -spc
> It was thus said that the Great Bradley D. Thornton once stated: > > On 3/1/2020 4:18 PM, Sean Conner wrote: > > > > > > 2) As I feared, this requires a more complicated implementation. solderpunk > > > wanted a protocol that could be implemented quickly and while TLS might be a > > > bad protocol, it at least has the feature of being widely available and > > > largly transparent if done correctly (like libtls, part of LibreSSL, does). > > > > um.... <smile>, Sean I have to call attention here to the fact that such > > an implementation of security isn't actually as simple as you portray in > > that statement, lolz... > > > > For example, just a couple of days ago you touted the libtls that you > > [were able to] took advantage of, as a result of developing GLV-1.12556 > > being written in Lua ;) > > > > In fact, you posted a tiny snippet of text showing how simple it was (in > > that language), lending in part, to the simplicity of a Gemini server > > being possible as a result of a weekend coding and beer session. > > > > On the other hand, I recall quite clearly, Michaels encyclopedic > > lamentations on the vagaries of attempting to acheive successful results > > in Python, with regards to TLS and client/transient certs, due to the > > horrendous state of Python libs in that regard :) > > Do you have any links to this? I don't remember seeing any of that, and > I'd be interested in reading it. I believe this is referencing this post that I made a while ago [1]. Personally, I would rather have gemini:// not be encrypted at all. I know there is a subset of privacy conscious users who are super dogmatic about security and E2E encryption. This much is clear from watching the gopher community. But I am not one of those users, and that is not what excites me about the gemini protocol. [1] gemini://mozz.us/journal/2019-08-21_transient_tls_certs.gmi - mozz
It was thus said that the Great Michael Lazar once stated: > > It was thus said that the Great Bradley D. Thornton once stated: > > > > > > > On the other hand, I recall quite clearly, Michaels encyclopedic > > > lamentations on the vagaries of attempting to acheive successful results > > > in Python, with regards to TLS and client/transient certs, due to the > > > horrendous state of Python libs in that regard :) > > > > Do you have any links to this? I don't remember seeing any of that, and > > I'd be interested in reading it. > > I believe this is referencing this post that I made a while ago [1]. Ah, thanks. I'm beginning to think it's a shame that libtls isn't used more often. I know of only one other TLS implementation that has implemented libtls, and that's bearTLS (which hasn't implemented everything in libtls as of yet). It really does make using encryption with TLS easier. > Personally, I would rather have gemini:// not be encrypted at all. I know > there is a subset of privacy conscious users who are super dogmatic about > security and E2E encryption. This much is clear from watching the gopher > community. But I am not one of those users, and that is not what excites me > about the gemini protocol. I hear you. I'm not overly fond of the whole "encrypt all the things" movement myself. But hey, the only constant is change. > [1] gemini://mozz.us/journal/2019-08-21_transient_tls_certs.gmi -spc
OK, I've been doing some "light reading" about this topic, and this is what I've found out so far. (Although I think the change of adopting anything besides TLS is closer to 0 at this moment, which I would say is a shame...) #### About "pro-TLS", and "don't roll your own" [I.e. This part is a counter argument to my previous emails. I still think we can do "simpler", but I do like to be fair, and thus I'm debating myself...] :) Bellow I'll point out three articles, written by three different people (which after searching the internet seem to be knowledgeable in this domain, perhaps not Schneier / Bernstein level, but still much better than the average developer), in a time span of about 10 years. (The section we are interested in is `client-server application security`, and not `website security` because the later actually means "HTTPS security", thus TLS is mandatory, although the former completely ignores certificates, as in X.509, thus only SSH-like assumptions.)
On Tue, Mar 03, 2020 at 02:20:57PM +0200, Ciprian Dorin Craciun wrote: > (Although I think the change of adopting anything besides TLS is > closer to 0 at this moment, which I would say is a shame...) You are pretty well right about this (and I won't even argue too strongly the fact that it's kind of a shame). I really hate to do anything like shutting this line of discussion down, especially after you have already invested so much effort into implementing a proof of concept. But the truth is that I think it's too late in the game for this kind of change. Replacing TLS with *anything* else would completely break every existing piece of Gemini software, which is a non-trivial amount, written by many different people of varying degrees of continuing activity in the project. There is a very real chance that this kind of change would introduce a permanent schism between "New Gemini" and "Old Gemini" when a subset of servers (in both senses of the word) and clients were not updated. Not only would software break, but I imagine a lot of participants in the projet would be unhappy as well. I worry that the community is too small and fraile to survive what would effectively be a fork. It's possible some kind of compatibility-maintaining change could be negotiated with the use of protocol verison numbers, but I have always, and still have been, opposed to the idea of versioning Gemini, because I see this as basically negating all the effort that was put into avoiding extensibility. My intent has always been to get it right (or close enough) the first time, in a relatively short period, and then leave it fixed - more or less as per Gopher. I realise that's a tall order. The idea was that Gemini would be so simple that this would be possible. Unforseen problems requiring later changes are a symptom of overcomplication, which interferes with anticipating problems. I understand that there's a lot *not* to like about TLS. And while I absolutely understand the importance of the "don't roll your own crypto" dogma, I do also understand that it *is* a dogma, which has a stagnating effect, especially when overextended - there is a real difference between combining established and well-tested primitives into a new protocol and a totally naive person who doesn't know block ciphers from stream ciphers coming up with something truly from scratch and assuming it's good because none of the three friends they asked could break it. But all that said, even if this were the very early days of Gemini again and we could be a bit more agile in core aspects of the protocol's design, I'm not convinced I wouldn't still choose TLS. The most important argument in its favour, IMHO, is the simple fact that TLS is going to be used, studied, and improved/maintained by some of the best security people in the world for a long time to come, for reasons *entirely* unrelated to Gemini. By going with TLS, we basically get to piggy-back on all of this, for free. The moment we change to anything else, there is immediately a 90% reduction in the amount of attention being paid by anybody to our security system. That's very hard to argue against, I would say, even in the interests of simplicity. And, for what it's worth, TLS *is* getting simpler. TLS 1.3 drastically reduced the amount of different configurations which are possible. I really wanted to spec TLS 1.3 as the minimum supported for Gemini, but it's not yet supported in LibreSSL - which is itself all about simplifying TLS, so discouraging adoption of it would be counter productive on that front. This is why we have TLS 1.2 as the minimum. If it softens the blow any, I'm absolutely open to the idea of explicitly disallowing some TLS 1.2 configurations. Cheers, Solderpunk > #### About "pro-TLS", and "don't roll your own" > > [I.e. This part is a counter argument to my previous emails. I still > think we can do "simpler", but I do like to be fair, and thus I'm > debating myself...] :) > > > Bellow I'll point out three articles, written by three different > people (which after searching the internet seem to be knowledgeable in > this domain, perhaps not Schneier / Bernstein level, but still much > better than the average developer), in a time span of about 10 years. > (The section we are interested in is `client-server application > security`, and not `website security` because the later actually means > "HTTPS security", thus TLS is mandatory, although the former > completely ignores certificates, as in X.509, thus only SSH-like > assumptions.) > > * [2018] https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html > * [2015] https://gist.github.com/tqbf/be58d2d39690c3b366ad > * [2009] http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html > > > >From [2009] (although I would say it's an incomplete advice as it > doesn't say what to do next): > ~~~~ > One of the reasons OpenSSL has such a poor track record is that the > SSL protocol itself is highly complex. Certificate chains, revocation > lists, ASN.1, multiple different hashing and encryption schemes... > when you have over a hundred thousand lines of code, it's no wonder > that bugs creep in. > ~~~~ > > > >From [2015] (Colin is the author of the [2009] article): > ~~~~ > What happens when you design your own custom RSA protocol is that 1-18 > months afterward, hopefully sooner but often later, you discover that > you made a mistake and your protocol had virtually no security. That > happened to Colin, but a better example is Salt Stack. Salt managed to > deploy e=1 RSA. > > [...] > > Most of these attacks can be mitigated by hardcoding TLS 1.2+, ECDHE > and AES-GCM. That sounds tricky, and it is, but it's less tricky than > designing your own transport protocol with ECDHE and AES-GCM! > > In a custom transport scenario, you don't need to depend on CAs: you > can self-sign a certificate and ship it with your code, just like > Colin suggests you do with RSA keys. > > Avoid: designing your own encrypted transport, which is a genuinely > hard engineering problem; using TLS but in a default configuration, > like, with "curl"; using "curl", IPSEC. > ~~~~ > > > >From [2018]: > ~~~~ > In custom protocols, you don?t have to (and shouldn?t) depend on 3rd > party CAs. You don?t even have to use CAs at all (though it?s not hard > to set up your own); you can just use a whitelist of self-signed > certificates ? which is approximately what SSH does by default, and > what you?d come up with on your own. > > Since you?re doing a custom protocol, you can use the best possible > TLS cipher suites: TLS 1.2+, Curve25519, and ChaPoly. That eliminates > most attacks on TLS. The reason everyone doesn?t do this is that they > need backwards-compatibility, but in custom protocols you don?t need > that. > > [...] > > Avoid: designing your own encrypted transport, which is a genuinely > hard engineering problem; using TLS but in a default configuration, > like, with ?curl?; using ?curl?, IPSEC. > ~~~~ > > > The takeaway: if we go with TLS, let's mandate: > * TLS 1.2 with TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 > https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 > * or, TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 > https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256 > * as for certificates only ECDSA, which seem to be available also via > Lets Encrypt; > > These options are also suggested by both Mozilla and CloudFlare: > * https://wiki.mozilla.org/Security/Server_Side_TLS > * https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites > > > > > #### About the noise protocol > > I've glossed over the Noise protocol specification, however before > getting into that I've read the first link bellow: > > * https://latacora.micro.blog/factoring-the-noise/ > * https://noiseprotocol.org/noise.html (this is the actual specification); > > Basically I think the only Noise protocol instance that pertains to > `gemini://` is the `XX` exchange pattern, citing from the first link > above: > ~~~~ > XX and XK require an extra round trip before they send over the > initiator?s static key. Flip side: they have the strongest possible > privacy protection for the initiator, whose identity is only sent to > the responder after they?ve been authenticated and forward secrecy has > been established. > ~~~~ > > In fact Alexey Ermishkin together with Trevor Perrin (the original > author of the protocol) have started a project called NoiseSocket, > which basically just focuses on the the `XX` pattern. (As for > credentials, Trevor Perrin worked for WhatsApp in designing the Noise > protocol, which is still used today.) > > * https://github.com/noisesocket/spec > * https://noisesocket.org/post/1/ -- I strongly suggest reading this > document if one is interested in the Noise protocol; > > The only disadvantage with Noise (or NoiseSocket) is that given the > frame size is limited to 64K, in case of `gemini://` we need to > implement extra "chunking" for it to work for bodies. (Alternatively > we can just use it as we do TLS, namely a "stupid pipe that just > applies encryption"...) > > > > > #### The part about other alternatives > > I've found the following project that also does a "state-of-the-art" > analysis (though granted in 2015): > > * https://github.com/auditdrivencrypto/secure-channel > * https://github.com/auditdrivencrypto/secure-channel/blob/master/prior-art.md > * https://github.com/auditdrivencrypto/secure-channel/blob/master/properties.md > * https://github.com/auditdrivencrypto/secure-channel/blob/master/draft.md > * https://github.com/auditdrivencrypto/secure-channel/blob/master/draft2.md > > (I don't know his credentials, thus I would assume nothing.) > > The "state-of-the-art" is quite "high-level", but it provides a nice > starting point. The properties document is a good check-list to > analyze any proposal against. (The only issue, is that he is > interested in building a peer-to-peer network, thus at least the > public key of the server is known in advance.) > > The second draft (i.e. `draft2.md` above) is quite interesting, > although as said it does one require to know beforehand the server's > public key. > > > > > #### About my previous proposal > > I'll have to think harder about it (within my limited cryptographic > expertise), and perhaps submit it to a cryptographers community for > feedback. > > At the moment I can see only a minor privacy flaw in it: the client > discloses its identity (and proof of identity) to any server; instead > it should first wait for the server to disclose its identity (and > proof of identity) before proceeding. > > This issue stems from the fact that the `transport_prepare` function > is "symmetrical" and tries to reduce network round-trips; instead the > client could first wait for the server verifier and then send its own > (i.e. just a minor change to that function). > > Ciprian. >
On Tue, Mar 3, 2020 at 2:20 PM Ciprian Dorin Craciun <ciprian.craciun at gmail.com> wrote: > #### The part about other alternatives > > I've found the following project that also does a "state-of-the-art" > analysis (though granted in 2015): Another interesting approach is CurveCP (designed by Daniel J. Bernstein):
On Tue, Mar 3, 2020 at 9:16 PM solderpunk <solderpunk at sdf.org> wrote: > On Tue, Mar 03, 2020 at 02:20:57PM +0200, Ciprian Dorin Craciun wrote: > > > (Although I think the change of adopting anything besides TLS is > > closer to 0 at this moment, which I would say is a shame...) > > You are pretty well right about this (and I won't even argue too > strongly the fact that it's kind of a shame). > > I really hate to do anything like shutting this line of discussion down, > especially after you have already invested so much effort into > implementing a proof of concept. But the truth is that I think it's too > late in the game for this kind of change. Can I still keep this thread "open", at least to give a "theoretical" alternative? (Just talking about the alternative, although not using it, could give us an insight of what might be nice to have in a future iteration.) (I don't think I'll be posting much on this, except after I get some feedback from the cryptographers community.) > Replacing TLS with *anything* else would completely break every existing > piece of Gemini software, which is a non-trivial amount, written by many > different people of varying degrees of continuing activity in the > project. It's not like there are hundreds of client and server implementations... :) > There is a very real chance that this kind of change would > introduce a permanent schism between "New Gemini" and "Old Gemini" when > a subset of servers (in both senses of the word) and clients were not > updated. Not only would software break, but I imagine a lot of > participants in the projet would be unhappy as well. I worry that the > community is too small and fraile to survive what would effectively be a > fork. This is perhaps true; although as said, with strong consensus, I don't think that would happen. Ciprian.
On Tue, Mar 03, 2020 at 09:34:03PM +0200, Ciprian Dorin Craciun wrote: > Can I still keep this thread "open", at least to give a "theoretical" > alternative? (Just talking about the alternative, although not using > it, could give us an insight of what might be nice to have in a future > iteration.) > > (I don't think I'll be posting much on this, except after I get some > feedback from the cryptographers community.) As long as it's a reasonable amount of traffic, sure. > > Replacing TLS with *anything* else would completely break every existing > > piece of Gemini software, which is a non-trivial amount, written by many > > different people of varying degrees of continuing activity in the > > project. > > It's not like there are hundreds of client and server implementations... :) Well, no, but it's not like there's 1 or 2 either. Cheers, Solderpunk
Sean Conner <sean at conman.org> writes:
> It was thus said that the Great Ciprian Dorin Craciun once stated:
>> So I've taken Sean Conner advice and implemented a proof-of-concept
>> client and server (only the protocol, transport and crypto part, not
>> the actual file serving) in Python by replacing TLS with NaCL /
>> `libsodium`.
> 2) As I feared, this requires a more complicated implementation. solderpunk
> wanted a protocol that could be implemented quickly and while TLS might be a
> bad protocol, it at least has the feature of being widely available and
> largly transparent if done correctly (like libtls, part of LibreSSL, does).
> It handles not only the crypo portion, but the framing of data (invisibly to
> the rest of the application). To tell the truth, I don't know the actual
> bytes of the TLS portion of the protcol as that is handled for me.
If we really wanted to go down this route, Noise protocol is more
comparable to TLS than just using NaCL directly; the Python bindings
seem only about as complex to use as the Python TLS bindings. The only
thing is that Noise has libraries for 5 or 6 languages, compared to how
ubiquitous TLS is.
--
Jason McBrayer | ?Strange is the night where black stars rise,
jmcbray at carcosa.net | and strange moons circle through the skies,
| but stranger still is lost Carcosa.?
| ? Robert W. Chambers,The King in Yellow
On Tue, Mar 10, 2020 at 3:55 PM Jason McBrayer <jmcbray at carcosa.net> wrote: > If we really wanted to go down this route, Noise protocol is more > comparable to TLS than just using NaCL directly; the Python bindings > seem only about as complex to use as the Python TLS bindings. The only > thing is that Noise has libraries for 5 or 6 languages, compared to how > ubiquitous TLS is. In the interim I've documented my proposal, including a clear diagram, used functions from libsodium and an asessment:
---
Previous Thread: Is it too late to consider adding a subset of Markdown to the render spec?
Next Thread: [SPEC-CHANGE] Preformatted text, header and unordered list lines defined