💾 Archived View for midnight.pub › replies › 7113 captured on 2024-05-12 at 16:07:53. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
Tracker watches as the new patron asks a question to the crowd, hurriedly downs his drink, and rushes out the door.
After thinking for a few moments, he gets up and walks over to the bar, asking for a bit of paper and a pencil from the ~bartender. He scribbles a note on it and hands it back, asking him to pass it on to ~samo next time he comes back through the pub.
The note reads:
"All Gemini requests are TLS-encrypted, and authentication (both by servers and clients) is done using X.509 certificates. Unlike HTTPS, Gemini clients don't expect to authenticate server certificates via a CA-issued certificate chain. Instead, much like SSH, they use TOFU (Trust On First Use) authentication. This allows Gemini servers to either use CA-issued certs or (more commonly) just use self-signed certs. The biggest weakness in this security model is, of course, that if you experience a man-in-the-middle attack on your first visit to a new capsule, you'd never know. TOFU only protects you against sudden unexpected changes in the server certificate AFTER your first visit to the capsule. If I understand DANE correctly, it provides a mechanism for clients to authenticate a server certificate by checking its fingerprint against one that is co-published over DNS. That sounds like a clever, decentralized solution to TOFU's main weakness. I'm not aware of whether any Gemini clients support DANE yet though. If you know of any, please let me know. FYI, it looks like DANE is referenced as a potential added security option on top of TOFU in the official Gemini FAQ. Best of luck, and happy hacking!"
Official Gemini FAQ (see sections 4.5.5 and 4.5.6 for DANE references)
Good thoughts. And thanks for pointing out the sections in Gemini FAQ... The document is thorough... Still i am not able to comprehend all of the written things. But layers are unfolding and the concepts are crystalizing. I am new in this thing... How is it called?
Have just set up a machine with Debian12 and made it remotely accessible. Im trying to set up a server for gemini among other things. Now the fresh computer has already several folders of nonfunctional software installed. No files are being served. Yet. Ill have another try later. And ill try the space-age. Its the one you have written?
~bartender two beers from the tap, and if anyone... next round is on me.