💾 Archived View for gemi.dev › gemini-mailing-list › 000163.gmi captured on 2024-08-31 at 16:02:08. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
Hey, I've been following Gemini from afar, that's a really cool project you've got! I'm curious about the threat model with gemini and how we can increase security in ways that are not user-hostile, and do not concentrate power in the hands of third parties. A TOFU approach to certificates (trust on first use, i.e. blind trust) can be easier to deal with, but strongly lacks any security guarantee. Especially, so far user agents of all sorts have been terrible at making a UX to inspect and verify server/peer certificates, so i think it's not so good. DANE is a RFC that describes how to distribute TLS public keys over the DNS (+ DNSSEC). It consists of TLSA records containing the server's public key, which can also be CNAME'd to, like in the example in the spec: example.com. IN MX 0 mx1.example.com. example.com. IN MX 0 mx2.example.com. _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c149a... Using DANE to distribute certificates reduces the attack surface, because the DNS is already a SPOF for a gemini server. I personally believe the gemini spec should strongly encourage admins to use DANE to distribute their server certificates. A different approach to this problem is the GNU Name System, which is a DNS-compatible, fully autonomous and secure naming system: https://datatracker.ietf.org/doc/draft-schanzen-gns/ GNS has much stronger security guarantees than DNSSEC, which is ideal for bootstrapping a secure connection to a remote server. It's also entirely decentralized and name seizures are made impossible by introducing cryptographic forms of zone delegation (instead of IP-based delegation as DNS does). I would recommend people investigate it, because interpersonal concerns set aside, GNS is in my view the best proposal for a secure, censorship-free naming system. There was a presentation at ICANN about GNS, which you can view here: https://git.gnunet.org/gnunet-videos-2019.git/plain/ICANN66/GNU_Name_System _-_2019_ICANN66__Martin_Schanzenbach.webm I hope this message brings you food for thought. Long live the free internet, burn all prisons and borders!
southerntofu at thunix.net writes: > Using DANE to distribute certificates reduces the attack surface, because the > DNS is already a SPOF for a gemini server. I personally believe the gemini spec > should strongly encourage admins to use DANE to distribute their server > certificates. Could you provide a minimal sample implementation of how a client would implement this? Just to demonstrate feasibility and to provide a guide to other client authors? -- +-----------------------------------------------------------+ | Jason F. McBrayer jmcbray at carcosa.net | | If someone conquers a thousand times a thousand others in | | battle, and someone else conquers himself, the latter one | | is the greatest of all conquerors. --- The Dhammapada |
On Fri, May 29, 2020 at 04:29:46AM -0400, southerntofu at thunix.net wrote: > Hey, Hey! I'm too bummed out over this data:// URL nonsense to give a detailed response to this right now, but let me quickly say: I am a big fan of DANE, and I'm aware of an unhappy about the sad state of affairs which is DNS security. I'm very reluctant to spec any of it because the implementation burden is *heavy*, but I have big plans to stick all kinds of stuff into AV-98 in the future to reduce the risk associated with the initial TOFU acceptance. This includes looking for DANE records (ideally over DNScrypt, so that even in the absence of DNSSEC there is *some* extra security - and, yes, I realise that DNScrypt and DNSsec provide very different kinds of security) and also various ideas riffing on the old Perspectives project. Hell, I'm even curious about DNS-over-Gemini. I'll write about all this in due time. Cheers, Solderpunk
Hi, Jason McBrayer <jmcbray at carcosa.net> writes: > southerntofu at thunix.net writes: > >> Using DANE to distribute certificates reduces the attack >> surface, because the >> DNS is already a SPOF for a gemini server. I personally believe >> the gemini spec >> should strongly encourage admins to use DANE to distribute >> their server >> certificates. > > Could you provide a minimal sample implementation of how a > client would > implement this? Just to demonstrate feasibility and to provide a > guide > to other client authors? I can't give a reference implementation, but as far as I know DANE can be almost 100% delegated to OpenSSL or GNUTLS. The DANE User Mailing List <https://mail.sys4.de/mailman/listinfo/dane-users> is a good place to get implementation help, sometimes directly from the RFC and OpenSSL authors. Greetings Carsten
---
Previous Thread: More silly text/gemini spec proposals
Next Thread: Syntax highlighting for GtkSourceView (GNOME Builder, gedit)