💾 Archived View for gemi.dev › gemini-mailing-list › 000806.gmi captured on 2023-11-14 at 09:45:33. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
It probably has been proposed before, but this is how I could see it working: Serve rot13 encoded stream in port 1964 as fallback for clients without TLS support. Add gemini-plaintext: schema for servers without TLS support. Low implementation burden overall, old hardware support. Thoughts?
On Wed, Mar 10, 2021 at 09:18:14AM +0100, Artur Honzawa <arturh at gmail.com> wrote a message of 25 lines which said: > Add gemini-plaintext: schema for servers without TLS support. Each time you have two security levels (encrypted and unencrypted), besides added complexity, you have the problem of downgrade attacks <https://en.wikipedia.org/wiki/Downgrade_attack>. These attacks have plagued all protocols with both an encrypted nd unencrypted version (SMTP?), that's why HTTP/3 (and Gemini!) only have one version.
Makes sense. Would security be impacted if clients applied TOFU and refused to downgrade if they had previously established a secure connection? On Wed, Mar 10, 2021 at 9:33 AM Stephane Bortzmeyer <stephane at sources.org> wrote: > On Wed, Mar 10, 2021 at 09:18:14AM +0100, > Artur Honzawa <arturh at gmail.com> wrote > a message of 25 lines which said: > > > Add gemini-plaintext: schema for servers without TLS support. > > Each time you have two security levels (encrypted and unencrypted), > besides added complexity, you have the problem of downgrade attacks > <https://en.wikipedia.org/wiki/Downgrade_attack>. These attacks have > plagued all protocols with both an encrypted nd unencrypted version > (SMTP?), that's why HTTP/3 (and Gemini!) only have one version. > >
On Wed, 10 Mar 2021 at 09:18, Artur Honzawa <arturh at gmail.com> wrote: > > It probably has been proposed before, but this is how I could see it working: > > Serve rot13 encoded stream in port 1964 as fallback for clients without TLS support. > > Add gemini-plaintext: schema for servers without TLS support. > > Low implementation burden overall, old hardware support. Thoughts? All current gemini servers and clients support TLS, and the presence of encryption is a cornerstone of gemini. If you don't want it you can use gopher instead :) Supporting old hardware is a noble goal, but I'd say that's better achieved by building a proxy service somewhere that serves gemini capsules over http. Cheers, ew0k
Thanks Bj?rn, I totally get that. Nevertheless, isn't the protocol still vulnerable to first connection MITM attacks? On Wed, Mar 10, 2021 at 9:54 AM Bj?rn W?rmedal <bjorn.warmedal at gmail.com> wrote: > On Wed, 10 Mar 2021 at 09:18, Artur Honzawa <arturh at gmail.com> wrote: > > > > It probably has been proposed before, but this is how I could see it > working: > > > > Serve rot13 encoded stream in port 1964 as fallback for clients without > TLS support. > > > > Add gemini-plaintext: schema for servers without TLS support. > > > > Low implementation burden overall, old hardware support. Thoughts? > > All current gemini servers and clients support TLS, and the presence > of encryption is a cornerstone of gemini. If you don't want it you can > use gopher instead :) > > Supporting old hardware is a noble goal, but I'd say that's better > achieved by building a proxy service somewhere that serves gemini > capsules over http. > > Cheers, > ew0k >
On Wed, 10 Mar 2021 at 10:13, Artur Honzawa <arturh at gmail.com> wrote: > > Thanks Bj?rn, I totally get that. Nevertheless, isn't the protocol still vulnerable to first connection MITM attacks? Yup! :)
---
Previous Thread: [users] New capsule from sunny Barcelona: gemini://bcn08012.ddns.net/
Next Thread: [TECH] HtmGem v1.0.0, Php program to view Gemini through HTTP