Phil Leblanc philanc at gmail.com
Mon Mar 8 21:59:53 GMT 2021
- - - - - - - - - - - - - - - - - - -
Privacy appears to be essential for Gemini users. A lot of discussionsrevolve around TLS, TOFU and how to prevent man-in-the-middle (MITM)attacks.
There may be other attacks simpler to set up. Let's take an example:
Alice visits Bob's gemini capsule. Nathan is a young NSA analystassigned to this emerging Gemini thing. We assume Nathan has access tothe tcp stream between Alice and Bob. The stream is TLS-encrypted(with the most recent TLS crypto). What can Nathan do?
Nathan quickly builds a gemini spider/indexer program and startscollecting for all Gemini sites the accessible files as any user coulddo. On whether Nathan's spider respects robots.txt, your guess is asgood as mine.
Nathan finds that Bob's capsule contains 3 files (this is just anexample!) which are 1KB, 5KB and 100KB large.
Now Nathan looks at Alice's encrypted traffic with Bob's server. Justlooking at the response sizes, Nathan knows what file(s) Alice hasaccessed and their content (collected during the indexing phase). Nocrypto, no MITM involved.
Of course, with lots of files in Bob's capsule, the matching is lessperfect, but it still leaks lots of information regarding what Aliceread.
This is easier for Gemini than for https because Gemini documents areprecisely simpler. No keep-alive (or maybe I missed some recent Geminidevelopment?), each file is loaded in its own request-responsetransaction.
What countermeasures could we propose? I can think of a few more orless practical approaches::
1. make sure the same file is never served with the same size - addrandom white space at the end of gmi / txt / html files, add randomcomments to pics, zip files, etc.
2. or add lots of "decoy" files (with all sorts of sizes) to yourcapsule. It will make life more difficult for the attackers, ... butalso for the legit indexers.
3. Adopt a "twitter-like" approach: serve only fixed-size content.Serve only 8 KB gmi pages and 32KB pics (didn't Solderpunk have anexperiment with fixed size pics?)
Do you consider that this type of attack is far-fetched? To set themup, an access to the network is required (to log Alice transactions) -so typically an ISP (or maybe a 3-letter agency :-) - maybe alsocorporate IT, for a targeted attack against an employee.
Or do you think the Gemini/TLS privacy expectations should apply onlyto non-indexable exchanges (CGI, user input)?
This is not to say that TLS does not protect against attacks. At themoment the most obvious threat I can see that is really blocked by TLSis not against privacy but against _integrity_, e.g. in the exampleabove, Alice's or Bob's ISP _injecting_ advertisement in Bob'sreponse.
Has any server author designed some sort of countermeasure againstlength-based attacks? Has it been already discussed?