💾 Archived View for rawtext.club › ~sloum › geminilist › 005945.gmi captured on 2023-11-14 at 09:44:14. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

The protection offered by TLS in a TOFU scheme

Björn Wärmedal bjorn.warmedal at gmail.com

Fri Mar 5 09:30:30 GMT 2021

- - - - - - - - - - - - - - - - - - - 

There's been some questions on the mailing list about what sort ofprotection a TOFU scheme in certificates offers. I've written aboutthis on my gemlog a couple of times, and several people have told methat the posts are a good introduction to the subject. Therefore Ifeel confident about posting links here :)

The first one is a short and somewhat sloppy introduction tocertificate security in general. The second is a more thorough guideto TOFU as a validation scheme.

In general, TLS without any validation at all offers no significantprotection. However (and this is worth noting) it does protect data intransit from dragnet surveillance. A simple sniff of network trafficwill not reveal the paths you visit on a server, or the query stringsyou send. That's always something. Any sort of validation at alloffers more security on top of that. TOFU is not perfect, but it's alot better than no validation.

gemini://warmedal.se/~bjorn/posts/certificate-security.gmi

gemini://warmedal.se/~bjorn/posts/your-gemini-browser-and-server-are-probably-doing-certificates-wrong.gmi

Cheers,ew0k