💾 Archived View for gemi.dev › gemini-mailing-list › 000806.gmi captured on 2023-12-28 at 15:52:54. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

🚧 View Differences

-=-=-=-=-=-=-

[tech] Plaintext Gemini extension

1. Artur Honzawa (arturh (a) gmail.com)

It probably has been proposed before, but this is how I could see it
working:

Serve rot13 encoded stream in port 1964 as fallback for clients without TLS
support.

Add gemini-plaintext: schema for servers without TLS support.

Low implementation burden overall, old hardware support. Thoughts?

Link to individual message.

2. Stephane Bortzmeyer (stephane (a) sources.org)

On Wed, Mar 10, 2021 at 09:18:14AM +0100,
 Artur Honzawa <arturh@gmail.com> wrote 
 a message of 25 lines which said:

> Add gemini-plaintext: schema for servers without TLS support.

Each time you have two security levels (encrypted and unencrypted),
besides added complexity, you have the problem of downgrade attacks
<https://en.wikipedia.org/wiki/Downgrade_attack>. These attacks have
plagued all protocols with both an encrypted nd unencrypted version
(SMTP…), that's why HTTP/3 (and Gemini!) only have one version.

Link to individual message.

3. Artur Honzawa (arturh (a) gmail.com)

Makes sense. Would security be impacted if clients applied TOFU and refused
to downgrade if they had previously established a secure connection?

On Wed, Mar 10, 2021 at 9:33 AM Stephane Bortzmeyer <stephane@sources.org>
wrote:

> On Wed, Mar 10, 2021 at 09:18:14AM +0100,
>  Artur Honzawa <arturh@gmail.com> wrote
>  a message of 25 lines which said:
>
> > Add gemini-plaintext: schema for servers without TLS support.
>
> Each time you have two security levels (encrypted and unencrypted),
> besides added complexity, you have the problem of downgrade attacks
> <https://en.wikipedia.org/wiki/Downgrade_attack>. These attacks have
> plagued all protocols with both an encrypted nd unencrypted version
> (SMTP…), that's why HTTP/3 (and Gemini!) only have one version.
>
>

Link to individual message.

4. Björn Wärmedal (bjorn.warmedal (a) gmail.com)

On Wed, 10 Mar 2021 at 09:18, Artur Honzawa <arturh@gmail.com> wrote:
>
> It probably has been proposed before, but this is how I could see it working:
>
> Serve rot13 encoded stream in port 1964 as fallback for clients without TLS support.
>
> Add gemini-plaintext: schema for servers without TLS support.
>
> Low implementation burden overall, old hardware support. Thoughts?

All current gemini servers and clients support TLS, and the presence
of encryption is a cornerstone of gemini. If you don't want it you can
use gopher instead :)

Supporting old hardware is a noble goal, but I'd say that's better
achieved by building a proxy service somewhere that serves gemini
capsules over http.

Cheers,
ew0k

Link to individual message.

5. Artur Honzawa (arturh (a) gmail.com)

Thanks Björn, I totally get that. Nevertheless, isn't the protocol still
vulnerable to first connection MITM attacks?

On Wed, Mar 10, 2021 at 9:54 AM Björn Wärmedal <bjorn.warmedal@gmail.com>
wrote:

> On Wed, 10 Mar 2021 at 09:18, Artur Honzawa <arturh@gmail.com> wrote:
> >
> > It probably has been proposed before, but this is how I could see it
> working:
> >
> > Serve rot13 encoded stream in port 1964 as fallback for clients without
> TLS support.
> >
> > Add gemini-plaintext: schema for servers without TLS support.
> >
> > Low implementation burden overall, old hardware support. Thoughts?
>
> All current gemini servers and clients support TLS, and the presence
> of encryption is a cornerstone of gemini. If you don't want it you can
> use gopher instead :)
>
> Supporting old hardware is a noble goal, but I'd say that's better
> achieved by building a proxy service somewhere that serves gemini
> capsules over http.
>
> Cheers,
> ew0k
>

Link to individual message.

6. Björn Wärmedal (bjorn.warmedal (a) gmail.com)

On Wed, 10 Mar 2021 at 10:13, Artur Honzawa <arturh@gmail.com> wrote:
>
> Thanks Björn, I totally get that. Nevertheless, isn't the protocol still 
vulnerable to first connection MITM attacks?

Yup! :)

Link to individual message.

---

Previous Thread: [users] New capsule from sunny Barcelona: gemini://bcn08012.ddns.net/

Next Thread: [TECH] HtmGem v1.0.0, Php program to view Gemini through HTTP