I will admit that I am just a hobbyist programmer and nerd. There was a point in time (actually a good portion of my life) where I strove to have this be my career, but alas, it was not meant to be. I am now okay with being a hobbyist nerd - and in that vein, I try to absorb as much as I can from others that are better at this than I am, or have just done it longer. To this point, I stumbled across lykso's gemlog about protecting against csrf (cross-site request forgery - i.e., stealing someone's request), and it's an angle I hadn't considered, but one I will probably try and implement.
I've been recently mulling around an idea for an app on my molly-brown server, and I am of course interested in keeping it secure. I've read that one post on the web about how insecure Gemini is, and people frequently talk about how vulnerable Gemini is, but it's always given the pass because it's too small and no one really is interested in being malicious on here - or at least it's not very apparent. However, there are a few sites about securing your server, and basic steps folks have taken, and I am grateful for those posts - and this is one of them.
We also use servers and clients that are admittedly built by not a team of hired software engineers whose reputation or job is on the line if something goes wrong with the software, but enthusiasts that may or may not care if their software is hackable, and even post disclaimers as such on their git pages. Now, I love FOSS, and I love the Gemini protocol, and I will still continue to use it, but knowing the aforementioned info, I will try to reduce my attack surface as much as possible while still getting as much out of this space as I think is fun or interesting.
To that point, I'm glad I came across this post. it's not an earth shattering suggestion, but it is something that I think would be fairly simple to implement. I also like ~Lykso's point that simply using client certificates is not enough in this case - they must use "random, single-use, time-limited string[s] which must be submitted with any request to any URL which mutates state on the server." I'd also like some of the servers out there to be able to facilitate something like this without everyone trying to home-roll a solution.
The good and bad about Gemini is its discoverability, because I think there should be a security-focused hub somewhere on here that discusses best practices for clients and servers. Circumlunar seems a logical choice as it's the entry point for most new users, but really anywhere would be good so long as it's well-known and reliably available.
Gritty
2022-03-19
Tags: csrf, security