💾 Archived View for ew.srht.site › en › 2022 › 20220519-re-tls-or-not.gmi captured on 2024-07-08 at 23:39:02. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-06-16)
-=-=-=-=-=-=-
~stacksmith has a word or two to say about gemini's use of transport layer security (TLS):
## What is wrong with TLS?
### Encrypting data is pointless:
* There is no sensitive data on the Gemini network (largely due to non-commercial nature of Gemini users.
gemini://gemini.ctrl-c.club/~stack/gemlog/2022-02-13.notls.gmi
Occasionally there have been arguments along the lines that tranport layer security (TLS) is too complicated and should be removed from gemini (and other sites, too).
I disagree.
One can definitely build a gemini server, which does not deal with TLS, like vger for example. However, vger is a filter: it accepts input on stdin and produces a response on stdout. It has no notion of the network. In order to make a running vger instance accessible from the network, one must add inetd to it, and configure it to route network requests to vger and back. This works nicely as I have detailed elsewhere, thanks to Solene for this interesting approach. If you need just that, by all means, use it.
However, in order to set up a proper gemini server, one must add another component, which will deal with gemini requests including tls, for example by adding nginx as the frontend, dealing with encryption, certificates and the like. But the thing is, this setup clearly identifies three components and how they work together. I'm not saying nginx is small or the only choice. I have it running for different reasons anyway, so I used it.
/en/2021/20211023-alpine-vger.gmi
But my content is free, why TLS then?
This argument may be technically sound. However, it depends on the definition of "free", with all the muddy corner cases that might entail. So, while my content is "freely available", and "free to copy" (I publish the link to the git repository), the state authorities of a reader might just decide otherwise. So TLS should at least hide the content in transit. This alone is not enough for such a reader. Therefore I have set up a copy of my site hosted as an onion site. So the reader can hide its IP address at least to some extent. So not serving your content via gemini including TLS or https is possibly excluding some readers. There are limits to everything, as I said.