๐พ Archived View for bbs.geminispace.org โบ u โบ drh3xx โบ 13253 captured on 2024-05-26 at 17:17:38. Gemini links have been rewritten to link to archived content
โฌ ๏ธ Previous capture (2024-05-10)
โก๏ธ Next capture (2024-06-16)
-=-=-=-=-=-=-
Could always support optional DNS verification of cert thumbprint similar to ssh key validation either with the same RR type or yet another TXT entry?
2023-12-30 ยท 5 months ago
๐ Addison ยท Dec 30 at 19:48:
If your threat model requires you to account for a highly malicious ISP that tampers with Gemini traffic, then you have bigger problems that Gemini can't solve for you.
๐ gritty ยท Dec 30 at 20:22:
I agree with the sentiments here - we have some encryption but it's not perfect, and we're not doing online banking here, so I think TOFU is good enough for this space.
๐ numb3r_station ยท Jan 02 at 00:13:
you could use a tor hidden service and asks users to bookmarks the page if this is a concern.
๐บ kotovalexarian ยท Feb 12 at 14:38:
I use the same TLS certificate by Let's Encrypt for both my website and my Gemini capsule. So clients may verify the full TLS chain. I'm not sure whether they do it, at least Amfora have already warned me that the certificate changed, but it's a problem with clients, not with the protocol or my approach.
Encryption is a hell โ Gemini encription is somewhat unusual. It relies on TOFU (trust on first use) principle. Suppose my provider is a jackass and he is implementing a MitM attack on all gemini connections, then my gemini program will not notice and all gemini capsules from this network perspective will be compromised. And if I use VPN after that, I will get warnings about certificate change. Than I have to guess where MitM attack was happened? Is it my provider messing with that, or is it a...