💾 Archived View for bbs.geminispace.org › s › Gemini › 21544 captured on 2024-12-17 at 15:10:19. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Enhancing Gemini’s TOFU Model with Convergence: A Proposal for Decentralized, Collaborative Certificate Validation

The Gemini protocol’s minimalist, privacy-focused design is a refreshing alternative to the traditional, often bloated web. Its reliance on Trust on First Use (TOFU) brings much-needed decentralization and reduces dependence on Certificate Authorities (CAs). However, as Daniel Stenberg and others have pointed out, TOFU has inherent vulnerabilities. Specifically, it requires users to implicitly trust a certificate on the first connection, a model that some believe could benefit from a supplementary validation system.

One promising approach to address this without compromising Gemini’s core values is to integrate the Convergence project. Originally designed as a decentralized method for validating certificates, Convergence allows users to check certificates against multiple independent "notaries" instead of relying on a single CA. By implementing Convergence into Gemini, each Gemini server could act as a notary, and Gemini browsers could include a Convergence client. This approach would provide additional verification without introducing a centralized authority, aligning with Gemini’s privacy-centric and distributed ethos. Here’s a breakdown of how this could work and why it might be worth considering.

1. Reinforcing TOFU’s Decentralization While Enhancing Security

TOFU allows users to pin a certificate the first time they connect to a server, creating a trusted relationship for future connections. However, this initial trust is inherently vulnerable to man-in-the-middle (MITM) attacks, particularly on public networks. Integrating Convergence as an optional validation layer could bolster TOFU by allowing users to verify that the certificate presented by the server matches what is seen by other notaries. Each Gemini server could act as a notary, which would ensure that certificate verification remains decentralized and community-driven.

Benefits:

• Additional Security: A Convergence-based system would allow users to cross-check the server’s certificate with several notaries, reducing the risk of accepting a compromised certificate during the first connection.
• Distributed Trust: By using Gemini servers themselves as notaries, this approach avoids a centralized authority while still offering a collaborative layer of security that could help users detect MITM attacks early.

2. Enhancing the TOFU Model Without Reintroducing CAs

One of the main appeals of TOFU is that it bypasses the traditional CA system, which can be compromised or co-opted by powerful entities. Convergence offers a way to preserve this CA-free model while adding an extra layer of validation, allowing users to select trusted notaries based on their preferences. This would let Gemini users maintain control over who they trust and reduce reliance on any single organization or authority.

Benefits:

• Avoiding Centralization: By using multiple Gemini servers as independent notaries, Gemini would continue to resist centralized control, a core principle of the protocol’s design.
• User-Defined Trust: Users could customize their list of notaries, allowing them to choose a personalized trust network that aligns with their security and privacy needs.

3. Addressing Critiques Around Certificate Management

One of Stenberg’s criticisms of TOFU is the lack of a certificate revocation or management system. With Convergence, users could benefit from community-verified certificates without sacrificing Gemini’s decentralized ethos. If a server’s certificate changes (e.g., due to a compromised key), the notary network could detect this discrepancy, alerting users before they automatically trust the new certificate. While not a complete solution to revocation, this system would offer Gemini users a practical middle ground.

Benefits:

• Detecting Compromised Certificates: Convergence’s notary network can flag unexpected certificate changes, providing Gemini users with an added layer of security against MITM attacks or key compromises.
• Minimizing Trust Confusion: A notary system provides users with more context around certificate changes, which could mitigate some of the potential user complacency that TOFU alone might encourage.

4. Promoting Collaboration Across the Gemini Ecosystem

One of the advantages of integrating Convergence into Gemini is the collaborative, community-driven model it could foster. By allowing each Gemini server to act as a notary, Gemini users would contribute to a collective security system, making the protocol stronger as it grows. This approach could help address concerns about scalability, as each additional server strengthens the notary network.

Benefits

• Enhanced Security at Scale: As more Gemini servers participate as notaries, the collective certificate verification becomes stronger, making it harder for attackers to compromise the network.
• Community-Built Trust: Gemini’s privacy-conscious user base might appreciate the opportunity to participate in a community-based security model that is fundamentally decentralized and cooperative.

Addressing Counterarguments

As with any protocol change, there are valid concerns and potential counterarguments to this proposal. Here are some common objections and responses:

• "Integrating Convergence could complicate Gemini’s simplicity.”

Response: While adding Convergence would introduce additional layers, it could be designed as an optional feature for users and servers who seek added security. For users who prioritize simplicity over additional security, they could choose to bypass the Convergence layer and rely on TOFU alone. Moreover, since each Gemini server could function as a notary, the complexity of setting up external notary infrastructure would be minimized, preserving Gemini’s straightforward deployment model.

• “Using Gemini servers as notaries might introduce privacy risks.”

Response: To address this, notary requests could be anonymized or limited to avoid disclosing which servers a user is connecting to. Additionally, users could select trusted notaries based on their own preferences, allowing them to avoid any servers they deem untrustworthy. This would let users maintain privacy while still benefiting from added certificate validation.

• “TOFU works well enough for Gemini’s niche use case—why complicate it with Convergence?”

Response: While TOFU is effective for low-stakes, content-driven browsing, many users might appreciate an optional added layer of verification, especially in sensitive environments or on untrusted networks. The Convergence layer wouldn’t replace TOFU; rather, it would supplement it, offering more choices for users who need it without disrupting the experience for those who don’t.

• “Notaries themselves could become compromised, undermining the verification process.”

Response: Convergence allows users to choose multiple independent notaries, mitigating the risk of a single compromised notary. Users can update their trusted notaries as they see fit, avoiding dependence on any one entity. This distributed model offers resilience against centralized attacks while giving users more control over their security setup.

• “This proposal could increase the maintenance burden on Gemini server operators.”

Response: While there would be an initial setup to act as a notary, maintenance requirements could be minimized by automating notary tasks or offering opt-in participation. This approach allows only those who wish to operate as notaries to do so, ensuring that the system remains voluntary and accessible.

Conclusion: A Complementary Path for Gemini’s Security

Incorporating Convergence into Gemini could offer a novel way to enhance TOFU without compromising the protocol’s fundamental principles. This approach could provide Gemini users with added security options without introducing a centralized authority, enabling Gemini to scale and evolve while remaining true to its decentralized, privacy-focused roots. By allowing each Gemini server to act as a notary and integrating a Convergence client in Gemini browsers, the Gemini protocol could establish a flexible, community-driven trust model.

While this approach would require collaboration and careful consideration, it represents a promising path forward for Gemini’s security model. It leverages the best of TOFU’s simplicity and Convergence’s collaborative verification to create a protocol that’s both resilient and responsive to user needs.

See Also:

https://en.wikipedia.org/wiki/Convergence_(SSL)

https://moxie.org/2011/04/11/ssl-and-the-future-of-authenticity.html

https://github.com/moxie0/Convergence

Posted in: s/Gemini

🚀 LooseCannon

Nov 04 · 6 weeks ago · 👍 CitySlicker

8 Comments ↓

🦂 zzo38 · Nov 05 at 00:18:

I also had a idea for decentralized validation, where anyone could sign anyone else's certificate; a DER file could be available by any protocol (TLS is not needed, although it is OK if you have it) or disk, which lists with certificates you approve and the details of the approval, including which extensions of the certificate you understand and which you don't, and what details you trust (e.g. the Common Name). It could also be used with what you describe. I wrote on a paper about the schema, and I will mention it here later when I write it on the computer.

Additionally, I also had a idea about superseding self-signed X.509 certificates. This is currently mentioned in the Scorpion protocol specification (in the section about X.509 extensions), but I think there might be a problem with it. I will post a separate message with my comments about how it is now and what I think it might be changed to.

— Superseding X.509 certificates

🦋 CarloMonte · Nov 05 at 06:54:

Please don't resurrect GPG. Joke apart, the proposed scheme lacks transparency and simplicity, which Gemini explicitely promotes at the expense of security.

👻 mediocregopher [...] · Nov 05 at 07:21:

All "problems" with TOFU can be solved with DANE. It would require no changes to Gemini servers or their certificates at all, and can be an optional check performed by clients. It relies on existing infrastructure (DNS, DNSSEC), and is already a standard with many different implementations existing and wide-usage as a security mechanism for email.

There's no need to introduce something new. I'm not even sure there's need to introduce something at all; TOFU works fine for gemini, it's not like we're doing our banking here.

👺 daruma · Nov 05 at 07:22:

Are there really users out there that want more secure Gemini? Or is this just a tech/programmer desire to expand the protocol? I think the idea of security also depends on the use case of a technology; if I use technology for the fun of it, why would it need to be secure? For me Gemini is enjoyable because it doesn't need to be secure, there aren't countless password, 2fa, captcha etc..

🐑 zeerooth · Nov 05 at 08:44:

I agree with @mediocregopher - we already have DANE, which is decentralized as well, and actually already a part of gemini spec as a recommendation for clients as an additional security measure for validating certificates.

🚀 mbays · Nov 05 at 22:18:

Is there a spec for this Convergence scheme? From the information in the links, I expect that it's too complicated to have a chance of being adopted by gemini developers (and the same probably goes even for the simplest notary schemes).

🚀 mbays · Nov 05 at 22:18:

I did find Moxie's criticisms of DANE in the second link interesting, by the way.

☕️ tenno-seremel · Nov 06 at 07:28:

@daruma Because otherwise an ISP can MitM you and censor or add any data (which you’d think comes from someone else’s mouth), or feed your system a 0-day exploit to monitor you better. Although I don’t think the thing that OP suggests is a solution I’d want.