<-- back to the mailing list

Re: ANN: go-hg — Mercury Protocol client & server library for Go programming language

Charles Iliya Krempeaux cikrempeaux at gmail.com

Mon Nov 1 07:01:19 GMT 2021

- - - - - - - - - - - - - - - - - - - 

A number of things to reply to. I wasn't sure whether to reply toeverything in one giant e-mail, or to reply in separate e-mails (that couldturn into their own separate threads). I think I'll create a small numberof separate replies to make it easier for others to follow.

Regarding:gopher://zaibatsu.circumlunar.space/0/~solderpunk/phlog/why-gopher-needs-crypto.txt

I think the main topics of this is:

№1: being able to detect (or prevent) content modification, and

№2: being able to protect one's privacy and make spying very difficult (ifnot impossible).

(Please correct me if I missed anything.)

Let's get technical about this —

I haven't read the Gopher spec in a long time, so don't recall whetherthere is something technical that would prevent it, but —

One could try to use content-addressing to try to detect contentmodification.

For example, there could be a convention created (and Gopher clientsmodified) such that the path in the gopher URL would contain a digest (froma cryptographic hash function) of the content. For example:

gopher://example.com/content/base64/sha3-512/ld7McvClCuTZ1TeOGyJSWHz8cZd+QyksjxuEZIJIUJ8bwYvG8LDQuGBqZD7/YdYRroTm+9SiaDFlcGvW/UizNA==

Notice that there are three main parts to this:

• base64• sha3-512•ld7McvClCuTZ1TeOGyJSWHz8cZd+QyksjxuEZIJIUJ8bwYvG8LDQuGBqZD7/YdYRroTm+9SiaDFlcGvW/UizNA==

The gibberish is base64 encoding of the digest of a sha3-512 hash function.

(One could use base64url if they didn't want the gibberish to have the "/"symbol.)

Someone would need to modify Gopher clients to recognize that type ofgopher URL, and then, once the data is downloaded, verify that its digestmatches the digest in the URL.

And encryption (such as TLS, mentioned in the document) could help preventthe spying to help protect privacy

(Although there are other options than just TLS.)

But, if you are using your ISP's DNS servers, they can still see whatInternet domain names you are resolving. Which breaks some of your privacy.

(Personally, I would prefer to move away from the Internet domain namesystem, for various reasons.)

As a side note — if you are interested in privacy, you should look intowhat information mobile phone providers, and credit card companies (andtheir partners) are collecting, and "sharing".

--Charles Iliya Krempeaux, B.Sc.cikrempeaux at gmail.com

On Sun, Oct 31, 2021 at 10:27 PM Sean Conner <sean at conman.org> wrote:

It was thus said that the Great Charles Iliya Krempeaux once stated:
Hello everyone,
Hello.
For me I prefer to separate out the TLS part from the server part. So,
this
implementation isn't an attempt to get rid of encryption, but instead a
way
of dividing up the technology to make it easier to work with.
I was originally doing this in a Gemini Protocol Go implementation, and
calling the TLS-free version "naked Gemini". But when I started reading
the
mailing list archive, and some of the gemlogs — still working through
them
— and noticed Mercury was the same thing, I created Go package hg.
The Mercury protocol:
https://portal.mozz.us/gemini/gemini.circumlunar.space/users/solderpunk/gemlog/the-mercury-protocol.gmi
was (at the time solderpunk proposed it) a thought experiement and is
actually bit less than the current Gemini-TLS---it's more akin to the
original protocol he propsed with single digit status codes [1] and a very
simple native text format. The critical part of the Mercury "spec":
3. ... then a lot of distinctions made by the remaining codes
(e.g.
temporary vs permanent redirects or failures) become far less
important, so we can get rid of more codes and end up below 10,
allowing them to be single digits.
4. The 'charset' parameter from the text/gemini MIME type is
removed
and UTF-8 encoding is obligatory. The 'lang' parameter currently
under discussion for Gemini is not added.
5. The text/gemini syntax is stripped back to just two line types:
links, and plain text. Plain text lines are still wrapped by the
client, as they currently are in Gemini.
As for the requirement for TLS for Gemini, solderpunk explained his ideas
in this post:
gopher://
zaibatsu.circumlunar.space/0/~solderpunk/phlog/why-gopher-needs-crypto.txt
In fact, a lot of the early history of Gemini is documented here:
gopher://zaibatsu.circumlunar.space:70/1/~solderpunk/gemini
-spc
[1] gopher://
zaibatsu.circumlunar.space/0/~solderpunk/gemini/status-codes.txt
-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20211101/b649b64f/attachment.htm>