💾 Archived View for station.martinrue.com › gnuserland › a67971223b7746ee850da1af5f28a318 captured on 2023-11-14 at 10:15:24. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-09-08)

-=-=-=-=-=-=-

👽 gnuserland

Ok this is just a pure curiosity...

But how much would be safe doing Online Banking on Gemini?

Just forget about authentication and let us pretend that we use a super protect method...

Thanks 😁

2 years ago · 👍 krixano, bavarianbarbarian

Actions

👋 Join Station

10 Replies

👽 skoob

As I understand it, not only does TLS encrypt the response from the server to the client, but also the whole url sent from the client to the server. Only the domain name is exposed to dns to get an IP address, then the complete url is sent encrypted to the server. This means that user input given the Gemini way (in the url) is protected.

So yeah, it totally could be done. · 2 years ago

👽 lykso

Heh, I just realized I've been fixated on authentication when you specifically said to forget about it. 😅

Yeah, TLS is TLS, and Gemini browsers are without a doubt simpler (and therefore easier to get right) than Web browsers. · 2 years ago

👽 lykso

@stacksmith I know, 2FA via SMS is not especially secure and should be avoided in favor of TOTP or FIDO U2F if possible. Within the context of "(at least as) secure as the Web," though... yeah, most banks still offer this as an option, AFAICT it's still fairly common to use this despite the problems with it, and you could also do this with Gemini. · 2 years ago

👽 lykso

@gnuserland Why would the bank provide the certificate? Just hook your Gemini browser into your Gnome keyring or whatever interface you prefer for interacting with kernel secrets so you can use the same mechanism you use to protect your other "at rest" secrets (e.g., email passwords) to protect your client certs as well. Then, if you want 2FA and/or server-side passwords on top (or even instead of) of client certs, do the 2FA/password prompt flow, issue some single-use or time-limited tokens, and require them when requesting authenticated URLs. (Ideally they'd be single-use, per link, and time-bound, IMO.) · 2 years ago

👽 stacksmith

2FA using phones has led to disasters in the past. · 2 years ago

👽 gnuserland

@lykso... 😂

Anyway I though you can have access with a certificate provided by your bank, than you have to put a password, when you hit enter you receive a text with a code, you put the code and you finally log in... :D · 2 years ago

👽 lykso

I would personally love to do my banking over Gemini, if only to get away from all the horrific, browser-wrecking Javascript crap my bank foists on me. Would have been a lot easier/possible for me to automate certain workflows as well with a simplified interface like the one Gemini offers. · 2 years ago

👽 lykso

No less safe than doing it over the web in most cases, I'd think (unless your bank offers FIDO 2FA; there's no reason Gemini clients couldn't support that, mind you, but none do presently). Perhaps safer due to the smaller client-side attack surface.

The only thing that gives me pause regarding certificate-based authentication is how client certificates are currently handled by most clients. Client certificates are generally stored unencrypted, which means that someone may steal your identity and access all your accounts just by copying this unencrypted file off your computer.

But you could still do password authentication plus 2FA via SMS or TOTP without special client code. · 2 years ago

👽 gnuserland

@bavarianbarbarian 🤣🤣🤣 · 2 years ago

👽 bavarianbarbarian

As a former paranoid Unix sysadmin I consider every IT stuff as unsecure, if you can avoid it, do it. I worked in nuclear powerplants, for major german ISPs, bleeding edge development and so on. Trust ia a weakness, anytime. · 2 years ago