Björn Wärmedal bjorn.warmedal at gmail.com
Fri Mar 5 09:30:30 GMT 2021
- - - - - - - - - - - - - - - - - - -
There's been some questions on the mailing list about what sort ofprotection a TOFU scheme in certificates offers. I've written aboutthis on my gemlog a couple of times, and several people have told methat the posts are a good introduction to the subject. Therefore Ifeel confident about posting links here :)
The first one is a short and somewhat sloppy introduction tocertificate security in general. The second is a more thorough guideto TOFU as a validation scheme.
In general, TLS without any validation at all offers no significantprotection. However (and this is worth noting) it does protect data intransit from dragnet surveillance. A simple sniff of network trafficwill not reveal the paths you visit on a server, or the query stringsyou send. That's always something. Any sort of validation at alloffers more security on top of that. TOFU is not perfect, but it's alot better than no validation.
gemini://warmedal.se/~bjorn/posts/certificate-security.gmi
gemini://warmedal.se/~bjorn/posts/your-gemini-browser-and-server-are-probably-doing-certificates-wrong.gmi
Cheers,ew0k