💾 Archived View for midnight.pub › posts › 1562 captured on 2023-12-28 at 15:24:20. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Running down the alley towards the pub. I have just half hour, before a meeting starts and want a little shot of coffee... When turning from the Main Street i could smell weed in the air, seconds later i could hear clonking of the grafitiy spray. The person had a hoodie on, but im almost sure it was she12 making another add-on for the small alley. I bump in through the door. The pub is full, but calm. I take a seat at the counter.
~bartender, a ristretto inverted, and if i may pay right away.
While he does the magic, a question arises:
Have you seen DANE around here? Is it usefull on gemini, is it used in the pub?
I recieve a little cup and pay. I have another look around the pub, but i know Dane is not sitting anywhere... If being here, he would be probably standing at the door. The potion smells delicious. I have another long sniff, empty the content. Then up and to the meeting...
Tracker watches as the new patron asks a question to the crowd, hurriedly downs his drink, and rushes out the door.
After thinking for a few moments, he gets up and walks over to the bar, asking for a bit of paper and a pencil from the ~bartender. He scribbles a note on it and hands it back, asking him to pass it on to ~samo next time he comes back through the pub.
The note reads:
"All Gemini requests are TLS-encrypted, and authentication (both by servers and clients) is done using X.509 certificates. Unlike HTTPS, Gemini clients don't expect to authenticate server certificates via a CA-issued certificate chain. Instead, much like SSH, they use TOFU (Trust On First Use) authentication. This allows Gemini servers to either use CA-issued certs or (more commonly) just use self-signed certs. The biggest weakness in this security model is, of course, that if you experience a man-in-the-middle attack on your first visit to a new capsule, you'd never know. TOFU only protects you against sudden unexpected changes in the server certificate AFTER your first visit to the capsule. If I understand DANE correctly, it provides a mechanism for clients to authenticate a server certificate by checking its fingerprint against one that is co-published over DNS. That sounds like a clever, decentralized solution to TOFU's main weakness. I'm not aware of whether any Gemini clients support DANE yet though. If you know of any, please let me know. FYI, it looks like DANE is referenced as a potential added security option on top of TOFU in the official Gemini FAQ. Best of luck, and happy hacking!"
Official Gemini FAQ (see sections 4.5.5 and 4.5.6 for DANE references)