πŸ’Ύ Archived View for gemi.dev β€Ί gemini-mailing-list β€Ί 000967.gmi captured on 2024-06-16 at 15:13:25. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Malicious Links

1. (nothien (a) uber.space)

In Gemini, the restriction that information can only be sent to a server
by performing a request is considered a feature.  However, this can
backfire by removing the need for user interaction, even when it is
absolutely necessary.  Below, I provide an example to show why this
feature, combined with the existence of malicious links, can prevent (or
at least hinder) the sole use of TLS certificates in account-based sites
on Gemini.

Consider a website, gemini://example.org, where users can set up
accounts.  It uses TLS certificates for authentication and provides
important settings through the Gemini interface.  For example, one can
delete their account by visiting a certain URL: perhaps
gemini://example.org/account/delete.  Although this makes sense, you may
already begin to understand the problem at hand.

Malicious Gemini pages (or parts thereof) can contain links to such
locations.  Depending upon the user's Gemini client configuration, it
may not show them the URL they are going to (e.g. Amfora, I think), and
they may accidentally delete their account at gemini://example.org (or
perform any other action involuntarily) this way.

Note that simple workarounds such as responding by asking the user to
type 'YES' can be avoided trivially, by adding the 'YES' to the query
string in the URL of the malicious link.

One possible workaround is to require the user to provide their password
(through a response 11) for every such action.  Presumably, the attacker
doesn't know the user's password, and so cannot craft a URL which would
delete the user's account without interaction from them.  Sites would
have to re-state the action being performed within the prompt attached
to the response 11, and give context (so the prompt may look something
like "Are you sure you want to delete the account at
gemini://example.org?  Type in your password to continue.").  However,
if the user is performing many actions which require password
verification, this is going to get irritating.  In addition, it forces
sites into using and storing passwords, even when they use TLS
certificates.

Another workaround is to require the user to provide a randomly
generated string.  For example, upon visiting
gemini://example.org/account/delete, the user is requested to type in
some words that were generated at that moment ("correct horse battery
staple") to authorize the action.  This removes the need for a password
in addition to the TLS certificate, but forces sites to keep track of
the random words for each user whenever they request such an action
(this functionality will likely have to be implemented by hand, and
there are complications like timeouts to consider).  This prevents
attackers from crafting the necessary URL, but once again performing
account-related actions through Gemini would become irritating.

It would also be possible to avoid this issue by using a special URL
format when sensitive input needs to be included.  Sites requiring
authorization (even just a 'YES' string) could use the sensitive input
response, and clients would not allow the sensitive input string to be
automatically provided (instead, the user would be required to type it
by hand).  This provides a minimal level of necessary user interaction.
Although it still suffers from the repetition problem of the above
workarounds, it seems to reduce the amount of work necessary, and
better share it between server, client, and user.  However, it would
necessitate a breaking change in protocol (or, perhaps, a new status
code and convention for 'sensitive query strings').

The reason that HTTP/HTML does not suffer from this problem is twofold.
Firstly, HTML is interactive, and so whenever such an action is
performed, the user can be interactively requested to confirm their
intention.  Secondly, when the action is performed directly (e.g. by
using HTTP POST to the relevant URL), the attacker doesn't have access
to the necessary cookies to authorize the action.  TLS certificates are
problematic in comparison because they apply for all interactions with
the site, and so automatically authorize any interaction; cookies for a
certain site are only available to the HTML/CSS/JS of that site, and so
the site can interactively verify the user's intention before
authorizing the action.  The access control with cookies also avoids the
repetition problem, and allows users to authorize once to perform
multiple actions.

With any of the above workarounds, account management on sites through
Gemini becomes difficult, both for hosters/admins and for users.  In
fact, this extends to just about any account-based interaction with any
site; for example, sites where comments can be uploaded are affected,
because a malicious link can cause an unpleasant comment to be
involuntarily submitted.

What does the Gemini community think?  How big of a problem is this?
Are there any other feasible workarounds?  Which major (and minor) sites
are affected?  Does this call for some sort of change in protocol?

~nothien

P.S: I'm not sure what ML category this fits into.  [spec], maybe?
[tech]?  No clue.

Link to individual message.

2. Jonathan McHugh (indieterminacy (a) libre.brussels)

Interesting concern.

What if a delete process required visiting (sequentially) two links?:


Would that permit users to realise somethings awry prior to making a fateful error?

====================
Jonathan McHugh
indieterminacy@libre.brussels

July 10, 2021 12:26 AM, nothien@uber.space wrote:

> In Gemini, the restriction that information can only be sent to a server
> by performing a request is considered a feature. However, this can
> backfire by removing the need for user interaction, even when it is
> absolutely necessary. Below, I provide an example to show why this
> feature, combined with the existence of malicious links, can prevent (or
> at least hinder) the sole use of TLS certificates in account-based sites
> on Gemini.
> 
> Consider a website, gemini://example.org, where users can set up
> accounts. It uses TLS certificates for authentication and provides
> important settings through the Gemini interface. For example, one can
> delete their account by visiting a certain URL: perhaps
> gemini://example.org/account/delete. Although this makes sense, you may
> already begin to understand the problem at hand.
> 
> Malicious Gemini pages (or parts thereof) can contain links to such
> locations. Depending upon the user's Gemini client configuration, it
> may not show them the URL they are going to (e.g. Amfora, I think), and
> they may accidentally delete their account at gemini://example.org (or
> perform any other action involuntarily) this way.
> 
> Note that simple workarounds such as responding by asking the user to
> type 'YES' can be avoided trivially, by adding the 'YES' to the query
> string in the URL of the malicious link.
> 
> One possible workaround is to require the user to provide their password
> (through a response 11) for every such action. Presumably, the attacker
> doesn't know the user's password, and so cannot craft a URL which would
> delete the user's account without interaction from them. Sites would
> have to re-state the action being performed within the prompt attached
> to the response 11, and give context (so the prompt may look something
> like "Are you sure you want to delete the account at
> gemini://example.org? Type in your password to continue."). However,
> if the user is performing many actions which require password
> verification, this is going to get irritating. In addition, it forces
> sites into using and storing passwords, even when they use TLS
> certificates.
> 
> Another workaround is to require the user to provide a randomly
> generated string. For example, upon visiting
> gemini://example.org/account/delete, the user is requested to type in
> some words that were generated at that moment ("correct horse battery
> staple") to authorize the action. This removes the need for a password
> in addition to the TLS certificate, but forces sites to keep track of
> the random words for each user whenever they request such an action
> (this functionality will likely have to be implemented by hand, and
> there are complications like timeouts to consider). This prevents
> attackers from crafting the necessary URL, but once again performing
> account-related actions through Gemini would become irritating.
> 
> It would also be possible to avoid this issue by using a special URL
> format when sensitive input needs to be included. Sites requiring
> authorization (even just a 'YES' string) could use the sensitive input
> response, and clients would not allow the sensitive input string to be
> automatically provided (instead, the user would be required to type it
> by hand). This provides a minimal level of necessary user interaction.
> Although it still suffers from the repetition problem of the above
> workarounds, it seems to reduce the amount of work necessary, and
> better share it between server, client, and user. However, it would
> necessitate a breaking change in protocol (or, perhaps, a new status
> code and convention for 'sensitive query strings').
> 
> The reason that HTTP/HTML does not suffer from this problem is twofold.
> Firstly, HTML is interactive, and so whenever such an action is
> performed, the user can be interactively requested to confirm their
> intention. Secondly, when the action is performed directly (e.g. by
> using HTTP POST to the relevant URL), the attacker doesn't have access
> to the necessary cookies to authorize the action. TLS certificates are
> problematic in comparison because they apply for all interactions with
> the site, and so automatically authorize any interaction; cookies for a
> certain site are only available to the HTML/CSS/JS of that site, and so
> the site can interactively verify the user's intention before
> authorizing the action. The access control with cookies also avoids the
> repetition problem, and allows users to authorize once to perform
> multiple actions.
> 
> With any of the above workarounds, account management on sites through
> Gemini becomes difficult, both for hosters/admins and for users. In
> fact, this extends to just about any account-based interaction with any
> site; for example, sites where comments can be uploaded are affected,
> because a malicious link can cause an unpleasant comment to be
> involuntarily submitted.
> 
> What does the Gemini community think? How big of a problem is this?
> Are there any other feasible workarounds? Which major (and minor) sites
> are affected? Does this call for some sort of change in protocol?
> 
> ~nothien
> 
> P.S: I'm not sure what ML category this fits into. [spec], maybe?
> [tech]? No clue.

Link to individual message.

3. Alice (lia (a) loveisanalogue.info)



On 9 July 2021 23:25:47 BST, nothien@uber.space wrote:

>The reason that HTTP/HTML does not suffer from this problem is twofold.
>Firstly, HTML is interactive, and so whenever such an action is
>performed, the user can be interactively requested to confirm their
>intention.  Secondly, when the action is performed directly (e.g. by
>using HTTP POST to the relevant URL), the attacker doesn't have access
>to the necessary cookies to authorize the action. 

HTTP does suffer from the same problem - because cookies are sent 
automatically. To prevent this HTTP requests typically use a "CSRF" token 
- an extra, random piece of text that is included in forms every time they 
are generated, and which the server tests against.

Gemini could easily use the same approach: the page that generates the 
"delete your account" link can add a random string in the query string. 
The server can then tests for the presence of that query string.

Because it's generated randomly every time the page is generated, 
attackers can't guess it. The CSRF token should have a limited life time.

:)
Alice
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Link to individual message.

4. Alice (lia (a) loveisanalogue.info)



On 10 July 2021 11:27:34 BST, Alice <lia@loveisanalogue.info> wrote:
>HTTP does suffer from the same problem - because cookies are sent
>automatically.

I should have added: a recent (ish) addition to the HTTP protocol is the 
"SameSite" attribute to cookies, which prevents CSRF attacks. However not 
all browsers currently in circulation support it, so for the time being 
web developers still need to use CSRF tokens (or not rely on cookies, if 
using client side JavaScript)

:)
Alice

Link to individual message.

5. Chris Brannon (chris (a) the-brannons.com)

nothien@uber.space writes:

> In Gemini, the restriction that information can only be sent to a server
> by performing a request is considered a feature.  However, this can
> backfire by removing the need for user interaction, even when it is
> absolutely necessary.  Below, I provide an example to show why this
> feature, combined with the existence of malicious links, can prevent (or
> at least hinder) the sole use of TLS certificates in account-based sites
> on Gemini.

I think having destructive operations (create, update, delete) running
over Gemini is probably a mistake to begin with, because it will lead
down the path of trying to build yet another application platform on top
of yet another document delivery system.  They tried that trick in the
90s.  Sadly it's still with us, and it's called the WWW.

Gemini eliminates a lot of the things that were tacked on to HTTP to
help make it useful for applications.  There's no distinction between
idempotent and not-idempotent operations, no cookies, and so forth.

Here's version 0.9 of the HTTP spec:
https://www.w3.org/Protocols/HTTP/AsImplemented.html

The family resemblance between Gemini and HTTP 0.9 is astonishing.  Take
HTTP 0.9, evolve it just a smidge, add some features, change some names,
mandate TLS, and VOILA, you get Gemini.

> Consider a website, gemini://example.org, where users can set up
> accounts.  It uses TLS certificates for authentication and provides
> important settings through the Gemini interface.  For example, one can
> delete their account by visiting a certain URL: perhaps
> gemini://example.org/account/delete.  Although this makes sense, you may
> already begin to understand the problem at hand.

If you have a site that does something more complicated than serve
documents and satisfy search requests, that's starting to look a lot
like an application.

-- 
Chris Brannon
Founder: Blind and Low Vision Unix Users Group (https://blvuug.org/).
Personal website: (https://the-brannons.com/)
Chat: IRC: teiresias on libera.chat and OFTC, XMPP: chris@chat.number89.net

Link to individual message.

6. mbays (mbays (a) sdf.org)



> Malicious Gemini pages (or parts thereof) can contain links to such
> locations.  Depending upon the user's Gemini client configuration, it
> may not show them the URL they are going to (e.g. Amfora, I think), and
> they may accidentally delete their account at gemini://example.org (or
> perform any other action involuntarily) this way.

I think you've hit the core of the problem there. I'd say this is a 
problem to deal with on the client side, not on the server side, and 
certainly not by changing the protocol. Clients should get some sort of 
explicit user authorisation before applying a client certificate to the 
destination of a cross-site link, e.g. by showing the full link, or by 
asking for confirmation.

Sometimes "cross-site" is too restrictive. To deal with multi-user sites, 
the rule should probably really be that a client certificate is only 
automatically applied to the destination of a link if it's already being 
applied at the source, because they're both below some common root where 
the certificate is active. That still leaves the case of interactive 
systems which include user-submitted links... probably that is a case 
where the system should be filtering those links server-side.

Link to individual message.

7. nervuri (nervuri (a) disroot.org)

On Fri, 2021-07-09, nothien@uber.space wrote:
> What does the Gemini community think?  How big of a problem is this?
> Are there any other feasible workarounds?  Which major (and minor) sites
> are affected?  Does this call for some sort of change in protocol?

See previous discussions:

gemini://gemini.circumlunar.space/~/fgaz/posts/2020-06-15-csrf-in-gemini/
- gemini://gemi.dev/gemini-mailing-list/messages/001698.gmi

gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/a-vision-for-
gemini-applications.gmi
- gemini://gemi.dev/gemini-mailing-list/messages/001747.gmi

Takeaways:

Server-side: mandate client certs for requests with non-trivial
consequences and use nonces (CSRF tokens) to be extra-safe (see the
first link).

Client-side: never use a client certificate when following a link from
outside the client certificate's scope, as defined in section 4.3 of the
spec.  This rule could be added to the spec itself.  Here's how the
scope is defined:

> A client certificate which is generated or loaded in response to such a
> status code has its scope bound to the same hostname as the request URL
> and to all paths below the path of the request URL path. E.g. if a
> request for gemini://example.com/foo returns status 60 and the user
> chooses to generate a new client certificate in response to this, that
> same certificate should be used for subsequent requests to
> gemini://example.com/foo, gemini://example.com/foo/bar/,
> gemini://example.com/foo/bar/baz, etc.,

Another client-side takeaway: consider Solderpunk's idea of a
"containerised" client, exemplified in [1].

Such client-side precautions should cover most cases of CSRF, except, to
quote Solderpunk:

> It is not foolproof - it cannot protect against application-internal
> CSRF attacks, e.g. some kind of multi-user application where one user
> can post text/gemini content which is rendered by another user of the
> same application.

Nonces (CSRF tokens) should be used in such instances.

[1] gemini://gemi.dev/gemini-mailing-list/messages/001771.gmi

Link to individual message.

8. nervuri (nervuri (a) disroot.org)

One more thing clients could do is be very clear about what link the
user is about to access.  Most clients are not, particularly (in my
experience) AV-98 and Amfora.  But this is understandable, as showing
the link (at least in terminal-based clients) would often require a
prompt - which I want, but it might annoy most people.  It could be a
setting, though.

Link to individual message.

9. ew.gemini (ew.gemini (a) nassur.net)

Hello,

Chris Brannon <chris@the-brannons.com> writes:

> nothien@uber.space writes:
>
>> In Gemini, the restriction that information can only be sent to a server
>> by performing a request is considered a feature.  However, this can
>> backfire by removing the need for user interaction, even when it is
>> absolutely necessary.  Below, I provide an example to show why this
>> feature, combined with the existence of malicious links, can prevent (or
>> at least hinder) the sole use of TLS certificates in account-based sites
>> on Gemini.
>
> I think having destructive operations (create, update, delete) running
> over Gemini is probably a mistake to begin with, because it will lead
> down the path of trying to build yet another application platform on top
> of yet another document delivery system.  They tried that trick in the
> 90s.  Sadly it's still with us, and it's called the WWW.

Full ACK!

~ew

-- 
Keep it simple!

Link to individual message.

10. Jonathan McHugh (indieterminacy (a) libre.brussels)

Thanks for an informative post.

Just one point of concern:

In the UK term 'nonce' was a perjorative term - its mercifully left the 
everyday lexicon. Just as the term 'fag' used to mean an 'old lady who 
picks up sticks', language moves on.

While I understand that it has a cryptographic definition, is it possible 
to have/use another term than 'nonces'?

Having grown up watching the satirical series, Brass Eye, the following 
could be featured as a comedy monologue:
 ```
A nonce introduces randomness, and sometimes time-stamping, into 
communications so that the application can verify the user. This added 
uniqueness makes it impossible for hackers to use prior communications to 
impersonate the legitimate parties for nefarious purposes.
 ```



====================
Jonathan McHugh
indieterminacy@libre.brussels

July 10, 2021 2:57 PM, "nervuri" <nervuri@disroot.org> wrote:

> On Fri, 2021-07-09, nothien@uber.space wrote:
> 
>> What does the Gemini community think? How big of a problem is this?
>> Are there any other feasible workarounds? Which major (and minor) sites
>> are affected? Does this call for some sort of change in protocol?
> 
> See previous discussions:
> 
> gemini://gemini.circumlunar.space/~/fgaz/posts/2020-06-15-csrf-in-gemini/
> - gemini://gemi.dev/gemini-mailing-list/messages/001698.gmi
> 
> gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/a-vision-fo
r-gemini-applications.gmi
> - gemini://gemi.dev/gemini-mailing-list/messages/001747.gmi
> 
> Takeaways:
> 
> Server-side: mandate client certs for requests with non-trivial
> consequences and use nonces (CSRF tokens) to be extra-safe (see the
> first link).
> 
> Client-side: never use a client certificate when following a link from
> outside the client certificate's scope, as defined in section 4.3 of the
> spec. This rule could be added to the spec itself. Here's how the
> scope is defined:
> 
>> A client certificate which is generated or loaded in response to such a
>> status code has its scope bound to the same hostname as the request URL
>> and to all paths below the path of the request URL path. E.g. if a
>> request for gemini://example.com/foo returns status 60 and the user
>> chooses to generate a new client certificate in response to this, that
>> same certificate should be used for subsequent requests to
>> gemini://example.com/foo, gemini://example.com/foo/bar/,
>> gemini://example.com/foo/bar/baz, etc.,
> 
> Another client-side takeaway: consider Solderpunk's idea of a
> "containerised" client, exemplified in [1].
> 
> Such client-side precautions should cover most cases of CSRF, except, to
> quote Solderpunk:
> 
>> It is not foolproof - it cannot protect against application-internal
>> CSRF attacks, e.g. some kind of multi-user application where one user
>> can post text/gemini content which is rendered by another user of the
>> same application.
> 
> Nonces (CSRF tokens) should be used in such instances.
> 
> [1] gemini://gemi.dev/gemini-mailing-list/messages/001771.gmi

Link to individual message.

11. (gemproj (a) suckless.anonaddy.com)

Isn't that basically what all applications (that are capable of any state
change) do essentially? Build an application layer on top of a protocol? If
you remove Gemini, you got TCP and UDP, and then IP.

If Gemini permits something but doesn't have it out of the box, people will
create another layer. It's natural I believe πŸ€·β€β™€οΈ

On Sat, 10 Jul 2021, 16:23 ew.gemini 'ew.gemini at nassur.net',
<gemproj+ew.gemini=nassur.net@suckless.anonaddy.com> wrote:

> This email was sent to gemproj@suckless.anonaddy.com from
> ew.gemini@nassur.net and has been forwarded by AnonAddy.
> To deactivate this alias copy and paste the url below into your web
> browser.
>
>
> https://app.anonaddy.com/deactivate/84c97fb7-dd72-4688-b653-188215324c2a?
signature=e4cd6fabb5144657ed72ac3c56cde019ecccfe366af0b08968536f9080c11eba
>
> -----
>
>
> Hello,
>
> Chris Brannon <chris@the-brannons.com> writes:
>
> > nothien@uber.space writes:
> >
> >> In Gemini, the restriction that information can only be sent to a server
> >> by performing a request is considered a feature.  However, this can
> >> backfire by removing the need for user interaction, even when it is
> >> absolutely necessary.  Below, I provide an example to show why this
> >> feature, combined with the existence of malicious links, can prevent (or
> >> at least hinder) the sole use of TLS certificates in account-based sites
> >> on Gemini.
> >
> > I think having destructive operations (create, update, delete) running
> > over Gemini is probably a mistake to begin with, because it will lead
> > down the path of trying to build yet another application platform on top
> > of yet another document delivery system.  They tried that trick in the
> > 90s.  Sadly it's still with us, and it's called the WWW.
>
> Full ACK!
>
> ~ew
>
> --
> Keep it simple!
>
>
>

Link to individual message.

12. ew.gemini (ew.gemini (a) nassur.net)

Hello,

gemproj@suckless.anonaddy.com writes:

>  Hello,
>
>  Chris Brannon <chris@the-brannons.com> writes:
>
>  > nothien@uber.space writes:
>  >
>  >> In Gemini, the restriction that information can only be sent to a server
>  >> by performing a request is considered a feature.  However, this can
>  >> backfire by removing the need for user interaction, even when it is
>  >> absolutely necessary.  Below, I provide an example to show why this
>  >> feature, combined with the existence of malicious links, can prevent (or
>  >> at least hinder) the sole use of TLS certificates in account-based sites
>  >> on Gemini.
>  >
>  > I think having destructive operations (create, update, delete) running
>  > over Gemini is probably a mistake to begin with, because it will lead
>  > down the path of trying to build yet another application platform on top
>  > of yet another document delivery system.  They tried that trick in the
>  > 90s.  Sadly it's still with us, and it's called the WWW.
>
>  Full ACK!
>
>  ~ew
>

> Isn't that basically what all applications (that are capable
> of any state change) do essentially? Build an application
> layer on top of a protocol? If you remove Gemini, you got TCP
> and UDP, and then IP.

>
> If Gemini permits something but doesn't have it out of the
> box, people will create another layer. It's natural I believe
> πŸ€·β€β™€οΈ

As far as I can tell, you can build anything on top of pretty
much anything sending and receiving data between two points.
However, that does not imply, it is a good idea.

gemini the protocol per se is a way to serve file content.

Apparently a lot of people think, but how can I make it do X or
Y too? And in my not so humble opinion, there are protocols
better suited for some or these things. Take "uploading" text.
There is sftp or scp at least. It requires an account on the
receiving side. Yes, well, imho that's a feature and not a
shortcoming. ymmv.


Cheers,
~ew

-- 
Keep it simple!

Link to individual message.

13. nervuri (nervuri (a) disroot.org)

On Sat, 2021-07-10, Jonathan McHugh wrote:
> While I understand that it has a cryptographic definition, is it
> possible to have/use another term than 'nonces'?

I don't know of a good alternative.  In any case, Merriam-Webster [1]
says that "nonce" is used since the 13th century with the meaning "the
one, particular, or present occasion, purpose, or use" - basically the
same as in crypto.  Urban Dictionary [2] has a 21st century definition:
"British slang for pedophile".  Rather than killing the word, I think
it's better to not allow some new regional slang affect our common use
of it.

> Having grown up watching the satirical series, Brass Eye...

I looked it up and I like it, thanks!

[1] https://www.merriam-webster.com/dictionary/nonce
[2] https://www.urbandictionary.com/define.php?term=Nonce

Link to individual message.

14. David Messer (davx8342 (a) gmail.com)

On Sun, 11 Jul 2021 at 07:30, ew.gemini <ew.gemini@nassur.net> wrote:

Apparently a lot of people think, but how can I make it do X or
> Y too? And in my not so humble opinion, there are protocols
> better suited for some or these things. Take "uploading" text.
> There is sftp or scp at least. It requires an account on the
> receiving side. Yes, well, imho that's a feature and not a
> shortcoming. ymmv.
>

I don't think that's a bad thing, speaking for myself here I could
immediately see the benefits of Gemini and I wanted to build things using
it. Were they a good fit for Gemini? Maybe not, but at its heart text is
the simplest of file types. Other protocols like NNTP and SMTP have long
had ways of dealing with that. It's not unreasonable that people might
expect Gemini to have a way of dealing with multi-line user-submitted text
content.

I live ~5 miles from one of the poorest areas in the UK. The only devices
people are likely to have access to are tablets or cell phones. SFTP is not
so much fun on those types of devices or with users from demographics who
maybe aren't old enough to remember having to FTP their content to a web
server somewhere.

If all people want for Gemini is to use other protocols to upload content,
that's absolutely fine. I'm not here to bash Gemini. Quite the opposite.
People want to add layers on top of Gemini which maybe aren't such a good
idea precisely because Gemini has highly desirable features.

davx

Link to individual message.

15. Devin Prater (r.d.t.prater (a) gmail.com)

Well, maybe Gemini browsers should add some of these other protocols so 
that users can do more, with better-suited things.
Devin Prater
r.d.t.prater@gmail.com

Https://devinprater.flounder.online

> On Jul 11, 2021, at 6:49 AM, David Messer <davx8342@gmail.com> wrote:
> 
> 
> On Sun, 11 Jul 2021 at 07:30, ew.gemini <ew.gemini@nassur.net 
<mailto:ew.gemini@nassur.net>> wrote:
> 
> Apparently a lot of people think, but how can I make it do X or
> Y too? And in my not so humble opinion, there are protocols
> better suited for some or these things. Take "uploading" text.
> There is sftp or scp at least. It requires an account on the
> receiving side. Yes, well, imho that's a feature and not a
> shortcoming. ymmv.
> 
> I don't think that's a bad thing, speaking for myself here I could 
immediately see the benefits of Gemini and I wanted to build things using 
it. Were they a good fit for Gemini? Maybe not, but at its heart text is 
the simplest of file types. Other protocols like NNTP and SMTP have long 
had ways of dealing with that. It's not unreasonable that people might 
expect Gemini to have a way of dealing with multi-line user-submitted text content.
> 
> I live ~5 miles from one of the poorest areas in the UK. The only 
devices people are likely to have access to are tablets or cell phones. 
SFTP is not so much fun on those types of devices or with users from 
demographics who maybe aren't old enough to remember having to FTP their 
content to a web server somewhere. 
> 
> If all people want for Gemini is to use other protocols to upload 
content, that's absolutely fine. I'm not here to bash Gemini. Quite the 
opposite. People want to add layers on top of Gemini which maybe aren't 
such a good idea precisely because Gemini has highly desirable features.
> 
> davx

Link to individual message.

16. Alexis (flexibeast (a) gmail.com)


Devin Prater <r.d.t.prater@gmail.com> writes:

> Well, maybe Gemini browsers should add some of these other protocols so 
that users can do more, with better-suited things.

Yes, i'm not aware of any reason why SFTP[a] functionality has to be 
presented with a command-line interface like e.g. ftp(1), or a graphical 
interface like e.g. Filezilla. Once there's a wrapper for SFTP in one's 
programming language of choice[b] - and SFTP is so well-established that 
there's more likely to be a wrapper than not - the UX can be oriented 
towards whichever group of users the dev(s) wish. And the conscious 
simplicity of Gemini protocol make its easier for different devs to create 
and maintain clients supporting different demographics.

Upthread, ~ew wrote:

> Apparently a lot of people think, but how can I make it do X or Y too? 
And in my not so humble opinion, there are protocols better suited for 
some or these things.

Fwiw, i agree. In this particular case, the fact that SFTP has an 
implementation in the OpenSSH suite means that the protocol has had many 
security-conscious people reviewing it and thinking about it - at the very 
least, far more than any new Gemini-oriented protocol for uploads is 
likely to have for quite some time. It makes sense to me to leverage a 
battle-hardened (even if not, of course, flawless) protocol, and find a 
friendly way of presenting it to non-tech users.


Alexis.


[a] SFTP rather than SCP because, as the SFTP Wikipedia page notes:

> SFTP attempts to be more platform-independent than SCP; with SCP, for 
instance, the expansion of wildcards specified by the client is up to the 
server, whereas SFTP's design avoids this problem. While SCP is most 
frequently implemented on Unix platforms, SFTP servers are commonly 
available on most platforms. The file transfer is fast in SCP when 
compared to the SFTP protocol due to the back and forth nature of SFTP 
protocol. In SFTP, the file transfer can be easily terminated without 
terminating a session like other mechanisms do.
> 
> SFTP is not FTP run over SSH, but rather a new protocol designed from 
the ground up by the IETF SECSH working group. It is sometimes confused 
with Simple File Transfer Protocol.

[b] A quick search came up with https://github.com/pkg/sftp for Go, 
https://docs.rs/ssh2/0.3.2/ssh2/index.html for Rust, 
https://pypi.org/project/pysftp/ for Python, etc.; though i don't develop 
in any of those languages, so can't comment on the quality of these wrappers.

Link to individual message.

17. Jonathan McHugh (indieterminacy (a) libre.brussels)

Sure, I get all that. I still needed to say it given its ability to 
illicit harm (careful with that axe Eugene...). Hopefully a less tainted 
descriptor will emerge.

FYI, it was frequently used as a slur against homosexuals - which is where 
the conflation really caused (potentially indelible) harm. Its not my 
history to tell and Im not sure this thread needs more introspection on this matter.

Enjoy Brass Eye (especially Drugs, Paedophiles and Decline), as well as 
its precursor, The Day Today. The people behind the series have been 
successful with many projects.


Jonathan McHugh
====================
indieterminacy@libre.brussels

July 11, 2021 1:09 PM, "nervuri" <nervuri@disroot.org> wrote:

> On Sat, 2021-07-10, Jonathan McHugh wrote:
> 
>> While I understand that it has a cryptographic definition, is it
>> possible to have/use another term than 'nonces'?
> 
> I don't know of a good alternative. In any case, Merriam-Webster [1]
> says that "nonce" is used since the 13th century with the meaning "the
> one, particular, or present occasion, purpose, or use" - basically the
> same as in crypto. Urban Dictionary [2] has a 21st century definition:
> "British slang for pedophile". Rather than killing the word, I think
> it's better to not allow some new regional slang affect our common use
> of it.
> 
>> Having grown up watching the satirical series, Brass Eye...
> 
> I looked it up and I like it, thanks!
> 
> [1] https://www.merriam-webster.com/dictionary/nonce
> [2] https://www.urbandictionary.com/define.php?term=Nonce

Link to individual message.

18. almaember (almaember (a) disroot.org)

IMO the best workaround would be to have clients ask if it should use a 
client certificate when it reaches the URL from a cross-origin link or redirect
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Link to individual message.

19. nervuri (nervuri (a) disroot.org)

On Sat, 2021-07-10, nervuri wrote:
> Client-side: never use a client certificate when following a link from
> outside the client certificate's scope, as defined in section 4.3 of the
> spec.  This rule could be added to the spec itself.

Here we go:

https://gitlab.com/gemini-specification/protocol/-/issues/37

Link to individual message.

20. mbays (mbays (a) sdf.org)



> https://gitlab.com/gemini-specification/protocol/-/issues/37

> A simple rule, roughly equivalent to SameSite=Strict, could be added to 
the spec to help prevent most instances of CSRF (Cross-Site Request 
Forgery). The rule can be something like:
> 
> When following a URI which is in scope of a client certificate from a 
page (or via a redirect) outside of that scope, clients MUST prompt the 
user to activate the client certificate for the target URI.

"MUST prompt" seems too strong to me. For redirects an explicit prompt is 
necessary, but for just following a link into the scope of a new 
certificate, I think it is sufficient if the link to be presented in a way 
which makes explicit the precise URI and what certificate would be used 
for it. (This is how diohsc works currently, and I think it's fine.)

Link to individual message.

21. nervuri (nervuri (a) disroot.org)

On Tue, 2021-07-13, mbays wrote:
> "MUST prompt" seems too strong to me. For redirects an explicit prompt
> is necessary, but for just following a link into the scope of a new
> certificate, I think it is sufficient if the link to be presented in
> a way which makes explicit the precise URI and what certificate would be
> used for it. (This is how diohsc works currently, and I think it's
> fine.)

Good point.  What we really want is for the user to be clear on "the
precise URI and what certificate would be used for it", as you said.
I think your client is unique in how it presents the two together.
Diohsc [1] looks very interesting, by the way.

OK, let's change the wording.  How about this:

"Before following a URI which is in scope of a client certificate from a
page (or via a redirect) outside of that scope, clients MUST display the
target URI and what client certificate will be used to connect to it."

We may need to go into more detail, though, since:
- multiple client certificates can be in the same scope
- one scope can be the "parent" of another in the path tree
- the rule should apply if *any* URI in the redirect chain is outside of
 the client cert's scope

[1] gemini://gemini.thegonz.net/diohsc/

Link to individual message.

22. mbays (mbays (a) sdf.org)



> "Before following a URI which is in scope of a client certificate from a 
page (or via a redirect) outside of that scope, clients MUST display the 
target URI and what client certificate will be used to connect to it."

Better. But I think "display" is still assuming too much about the client. 
What about audio-only clients? We could make it "present", but still we 
may find that it's too restrictive... what if a client wants to present 
only a shortened form of the URI, say without the scheme? Do we really 
want to say that it's in contravention of the spec? And so on.

Really, I don't think this kind of prescriptive text for the details of 
how clients should operate belongs in the spec at all.

Perhaps it would make more sense to add some general discussion about this 
issue, either to the spec or to best-practices.gmi, saying that clients 
should ensure that a client certificate is used only when it's clear that 
the user intends it to be, and pointing out these cases where it might not 
be clear (links and redirects into the scope of a certificate). Then let 
client authors decide how to implement this in whatever way makes most 
sense for their particular clients.

Link to individual message.

23. nervuri (nervuri (a) disroot.org)

On Thu, 2021-07-15, mbays wrote:
> Better. But I think "display" is still assuming too much about the
> client. What about audio-only clients? We could make it "present", but
> still we may find that it's too restrictive... what if a client wants to
> present only a shortened form of the URI, say without the scheme? Do we
> really want to say that it's in contravention of the spec? And so on.

"Display" is used throughout the spec.  I'm fine with using a more
general term like "present", but maybe a separate issue should be opened
for replacing all instances of "display".  And, yes, I do think clients
ought to include the scheme, especially those that support multiple
protocols; I don't see this as a blocker.

> Really, I don't think this kind of prescriptive text for the details of
> how clients should operate belongs in the spec at all.

That's what the specification is: prescriptive text for how clients
should operate.  If the text makes sense, we should add it, and this is
a small requirement that brings a big benefit, as with web browsers
using SameSite by default.

> Perhaps it would make more sense to add some general discussion about
> this issue, either to the spec or to best-practices.gmi, saying that
> clients should ensure that a client certificate is used only when it's
> clear that the user intends it to be, and pointing out these cases where
> it might not be clear (links and redirects into the scope of
> a certificate). Then let client authors decide how to implement this in
> whatever way makes most sense for their particular clients.

This would also be good.  As I wrote on GitLab, Β«"MUST" is what I think
makes the most sense, as it provides the most protection without any
serious downside. But if I'm wrong about that, then taking it down to
"SHOULD", or putting it into the best practices document, is still way
better than nothing.Β»

So, here's the next iteration of the text:

 Before following a URI which is in scope of a client certificate from
 a URI outside of that scope, clients MUST/SHOULD display the target
 URI and what client certificate would be used to connect to it.

 Doing this will help protect against Cross-Site Request Forgery
 (CSRF). It applies to:
   * following a link on a page
   * going through one or more redirects

We could expand on this with a short explanation of CSRF and maybe an
example.

Link to individual message.

24. Oliver Simmons (oliversimmo (a) gmail.com)

On Fri, 16 Jul 2021 at 09:55, nervuri <nervuri@disroot.org> wrote:
>
>   Before following a URI which is in scope of a client certificate from
>   a URI outside of that scope, clients MUST/SHOULD display the target
>   URI and what client certificate would be used to connect to it.
>
>   Doing this will help protect against Cross-Site Request Forgery
>   (CSRF). It applies to:
>     * following a link on a page
>     * going through one or more redirects
>

How about the following?

"A client MUST NOT make a request to a URI in the scope of a client
certificate outside the current scope, unless the user explicitly
allows the request. The client SHOULD present the full target URI to
the user."

This solves some of the issues with 'display' and makes the part about
user control more clear IMO.

Maybe it would be good to mention it's ok to make the request without
the client cert?

--
-Oliver Simmons (GoodClover)

Link to individual message.

25. Oliver Simmons (oliversimmo (a) gmail.com)

On Fri, 16 Jul 2021 at 11:45, Oliver Simmons <oliversimmo@gmail.com> wrote:
> The client SHOULD present the full target URI to the user.

Should say "full target URI and client certificate".

-- 
-Oliver Simmons (GoodClover)

Link to individual message.

26. nervuri (nervuri (a) disroot.org)

On Fri, 2021-07-16, Oliver Simmons wrote:
> How about the following?
> 
> "A client MUST NOT make a request to a URI in the scope of a client
> certificate outside the current scope, unless the user explicitly
> allows the request. The client SHOULD present the full target URI to
> the user."

Yes, I think I prefer the "MUST NOT ... unless ..." structure, but after
putting this rule in code form [1], I came away wanting a more verbose
and precise formulation.  It may seem overkill, but I think it's worth
it for the sake of clarity:

 Since each client certificate is bound to a scope, we define cross-scope
 requests as requests made by interactive clients starting at URI 1 and
 going to URI 2, where the following conditions are true:

 * URI 2 is in scope of an active client certificate;
 * URI 1 is not in that same scope;
 * the user did not explicitly input URI 2.

 Such requests can occur when following a link on a page or following
 one or more redirects.

 An interactive client MUST NOT use a client certificate when making a
 cross-scope request, unless the user explicitly allows it after being
 shown the full target URI and an indication of what client certificate
 would be used to connect to it.

 This is to protect against Cross-Scope Request Forgery (CSRF), a type
 of attack in which the user is tricked into executing unwanted actions
 in a Gemini application in which they’re currently authenticated - for
 example by following a redirect from
 `gemini://malicious.org/kittens.png` to
 `gemini://gemini.forum/account/delete`.

I would add this to the end of section 4.3.

I'll leave it at this.  When they find the time, Sean or Solderpunk can
decide whether to add this and what wording to go with.

[1] https://gitlab.com/gemini-specification/protocol/-/issues/37#note_629384688

Link to individual message.

27. mbays (mbays (a) sdf.org)



> a more verbose and precise formulation[...]

This looks good. I retract my previous objections, I think it would be 
reasonable to include this in the spec.

Link to individual message.

---

Previous Thread: Re: Gemini Digest, Vol 24, Issue 12

Next Thread: Difference between gopher and gemini?