💾 Archived View for mozz.us › journal › 2021-01-28.gmi captured on 2023-12-28 at 15:28:15. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

RE ew0k: Your Gemini Browser and Server are Probably Doing Certificates Wrong

Published 2021-01-28

Ew0k posted an excellent article about the current state of certificates in gemini.

gemini://warmedal.se/~bjorn/posts/your-gemini-browser-and-server-are-probably-doing-certificates-wrong.gmi

It's all good information that I agree with 100% from a technical standpoint. I wanted to respond to the call to action because I'm being called out as a server admin who's still using my LE certificate 😬.

And server admins: please, please, please stop using Certificate Authority certificates until this situation is sorted out. And set not-valid-after dates to at least some time in the next century. If TOFU is decided as the predominant validation scheme I suggest you never return to using Certificate Authority certificates. They just can't be guaranteed to play well with TOFU.

There's nothing to argue with the reasoning here. Rotating CA certificates don't mix well with gemini clients that implement TOFU, which is *most* gemini clients. It's insecure, it's a MITM attack vector, it's a bad UX experience.

And it's not like it would be hard for me to install a self-signed certificate either. I guess I just... don't want to play along? I think it's my way of passively protesting against TLS in general. There's too much complexity which breeds confusion. SNI, ALPN, cipher negotiation, signature algorithms, session tickets, close_notify, x509 attributes, OpenSSL, etc. I understand that solderpunk and others care about end-to-end encryption and that's fine. But for me, TLS detracts from what I really want out of the protocol. It strays too far from the radically familiar. TOFU only amplifies this by swimming upstream against established patterns from HTTPS. I haven't come around to it yet and the more I use it the less appealing it becomes.

I don't expect to accomplish anything by sticking to my LE cert. Trust on first use is here to stay in gemini, although efforts to finalize the spec might throw a wrench in this when real security experts get involved.

I'm not losing any sleep over it though. 🛌