💾 Archived View for bbs.geminispace.org › u › ElectricalDance › 13030 captured on 2023-12-28 at 16:10:02. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Re: "Seriously, how do I check if the server fingerprint is the..."
This is a hard problem to solve. It depends a lot on the type of capsule and for most personal capsule its fine to just trust whatever certificate is presented, in a way similar to TOFU, this seems to work in things like Signal or whatsapp.
For the highly adverserial environement we can look for examples on services like VPN, hacking groups, darknet marketplace etc how they handle it: It is usually by signing messages proving they really do own whatever domain they are operating and when they change the certificate they will sign the new one.
Most users anyway ignore it and then are surprised when it turns out there was a malicious version :P.
As I said, it is a trick problem
In many case if you do not want to rely on a centralized authority (with the risk of becoming just like the web) you need to rely on social links between people and reputation (which is another problem on its own).
If you are running a popular gemini service you could have some external social media account (on this bbs, twitter, whatever) where you publish the fingerprint of your certificate and announce when you rotate them.
Dec 26 · 2 days ago
I just added a Certificate and Key Validator service to Kennedy to try and help solve this problem.
gemini://kennedy.gemi.dev/certs/validator/
— kennedy.gemi.dev/certs/validator/
Seriously, how do I check if the server fingerprint is the correct one? Is there a reference list or something?