💾 Archived View for bbs.geminispace.org › u › AnoikisNomads › 13245 captured on 2024-03-21 at 20:08:49. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-02-05)
-=-=-=-=-=-=-
@adicus I green with you on both the dramatization and the technical comparability between SSH and gemini.
however I see a significant practical difference: SSH certs tend to never change for the lifetime of an endpoint, however with so many capsules getting their certificate through Let's Encrypt / ZeroSSL or by manually chosing very short validities, certs in gemini do change a lot more often.
there is no need for this to happen, but it does; human factor I guess. Tools like the one in Kennedy you announced the other day do help, but by nature they cure only the symptoms.
2023-12-30 · 3 months ago
👤 AnoikisNomads · Dec 30 at 15:53:
@adicus to add: i realized my last sentenced can be read in several ways: I'm _extremely_ grateful for your tool and didn't mean to dismiss the efforts
Could always support optional DNS verification of cert thumbprint similar to ssh key validation either with the same RR type or yet another TXT entry?
If your threat model requires you to account for a highly malicious ISP that tampers with Gemini traffic, then you have bigger problems that Gemini can't solve for you.
I agree with the sentiments here - we have some encryption but it's not perfect, and we're not doing online banking here, so I think TOFU is good enough for this space.
🚀 numb3r_station · Jan 02 at 00:13:
you could use a tor hidden service and asks users to bookmarks the page if this is a concern.
😺 kotovalexarian · Feb 12 at 14:38:
I use the same TLS certificate by Let's Encrypt for both my website and my Gemini capsule. So clients may verify the full TLS chain. I'm not sure whether they do it, at least Amfora have already warned me that the certificate changed, but it's a problem with clients, not with the protocol or my approach.
Encryption is a hell — Gemini encription is somewhat unusual. It relies on TOFU (trust on first use) principle. Suppose my provider is a jackass and he is implementing a MitM attack on all gemini connections, then my gemini program will not notice and all gemini capsules from this network perspective will be compromised. And if I use VPN after that, I will get warnings about certificate change. Than I have to guess where MitM attack was happened? Is it my provider messing with that, or is it a...