💾 Archived View for gemini.bunburya.eu › newsgroups › gemini › messages › ydcznrbbvc.fsf@UBEblock.ps… captured on 2024-05-26 at 15:38:20. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

Initial thoughts

Message headers

From: Winston <wbe@UBEBLOCK.psr.com.invalid>

Subject: Initial thoughts

Date: Tue, 26 Oct 2021 19:32:55 -0400

Message-ID: <ydcznrbbvc.fsf@UBEblock.psr.com>

Message content

Note: I've only just read the FAQ. I have not read the protocol spec.

As partially noted in the FAQ, many of the privacy and annoyance issues

Geminii seeks to address, including popups, are caused by scripts

(mainly Javascript, but other scripts are allowed and supported) and

cookies. Geminii addresses these by not supporting scripts or cookies.

"No scripts" fixes pretty much all the annoyances.

Geminii does not support CSS or style. Given modern CSS's media query

capabilities, not supporting CSS helps protect privacy (such as device

property identification, which can be accomplished via CSS style in

several different ways).

I see that Geminii also does not allow file inclusions, so iframe

content, images, and the like aren't available. That stops web bugs.

There are, however, other methods for tracking, and I can't tell whether

Geminii addresses them.

1) Link click tracking.

Suppose you have a page of links, and the site that served that page

wishes to track which link you clicked. [In the case of Google, for

example, my impression is that they use the information about which

one you chose to improve search result order, moving the more popular

choices up in the search results.]

The typical method of doing that is what I'll call a URL redirect.

Let's say host H1 served a page of links L1, L2, L3, ... Tracking

by H1 might be accomplished by using local links of the form:

/url?q=L1&searchquery=queryID&youclicked=L1

/url?q=L2&searchquery=queryID&youclicked=L2

When you click on the link, the request goes to H1 which collects the

tracking info and redirects the client to L1, L2, ... -- a redirect

that is mostly invisible to the client, so it looks like you went

directly to the link (e.g., L1).

If Geminii allows full URI spec URLs, then '&'s are allowed and

there's nothing that would prevent this kind of tracking.

2) Misleading link labels.

One of my peeves with HTML is the ability to specify things like

[my ISP doesn't allow HTML tags, so I'm using [] instead of <>]

[a href=link1]Unrelated link2[/a]

where the text label doesn't match the link and can be arbitrarily

misleading. Phishers love this. I see that Geminii allows links and

labels. Always displaying the link URL would help, but not everyone

is going to take the time to examine the URLs, so:

Could a URL such as [I don't know Geminii link format, so I'm using

label; link here]

Wells Fargo login; https://www.wellsfargo.com.login.scammer.scam/...

(a method used by some scammers, where they put the name you expect

at the beginning of a long domain name, counting on the reader not

noticing that the URL continues with '.', not '/') work in a Geminii

document to mislead the reader?

3) Does the geminii: network protocol support the "Host: name" header?

The "Host: name" header is used to support multiple virtual hosts

with just a single IP address, including running a single server for

all the hosts.

Just some initial thoughts,

-WBE

Related

Parent:

FAQ: Project Gemini (by Jason Evans <jsevans@mailfence.com> on Tue, 26 Oct 2021 19:37:07 -0000 (UTC))

Children:

Re: Initial thoughts (by Winston <wbe@UBEBLOCK.psr.com.invalid> on Fri, 03 Dec 2021 13:21:51 -0500)