[spec] Certificate trust

1. CΓ΄me Chilliet (come (a) chilliet.eu)

Hello,

I have been using lagrange for a few months to browse Gemini, and I 
realize that I?m already making a habit of ignoring certificate mismatch 
warnings, and blindly trusting any certificate that shows.

The certificate trust is one of the weak point of the current 
specification I think, and it would need to be clarified.

Firstly, there is the idea of TOFU, but it does not say on which part of 
the certificate the TOFU works (some people consider it?s the whole 
certificate, some only the fingerprint), and it does not say how much the 
certificate needs to be valid (I?ve seen on the ML some people considering 
that a wrong domain in a certificate and a past expiration date should be 
ignored by clients). Reading the specification it appears that it 
recommends using fingerprint and to consider past expiration date invalid.
Secondly, there is the good old CA system, nowadays mostly using 
letsencrypt. It seems badly supported in most clients which still use TOFU 
in this case and will complain at each renewal.
A third possibility I think would be to use DANE and base validation on 
the DNS system, but I?ve not seen anyone advocating this, is there 
anything wrong with that idea?

I?m failing to see how TOFU can provide any security, especially if there 
is no way to announce a renewal by sending both new and old cert or 
something, there is a MITM possibility at each renewal. The only TOFU 
example I?ve seen cited is openssh, which seems offtopic because you 
usually do not ssh into random machine on the internet by following links 
like you do with Gemini.

C?me

Link to individual message.

2. Solene Rapenne (solene (a) perso.pw)

On Sun, 28 Feb 2021 20:27:26 +0100
C?me Chilliet <come at chilliet.eu>:

> Hello,
> 
> I have been using lagrange for a few months to browse Gemini, and I 
realize that I?m already making a habit of ignoring certificate mismatch 
warnings, and blindly trusting any certificate that shows.
> 
> The certificate trust is one of the weak point of the current 
specification I think, and it would need to be clarified.
> 
> Firstly, there is the idea of TOFU, but it does not say on which part of 
the certificate the TOFU works (some people consider it?s the whole 
certificate, some only the fingerprint), and it does not say how much the 
certificate needs to be valid (I?ve seen on the ML some people considering 
that a wrong domain in a certificate and a past expiration date should be 
ignored by clients). Reading the specification it appears that it 
recommends using fingerprint and to consider past expiration date invalid.
> Secondly, there is the good old CA system, nowadays mostly using 
letsencrypt. It seems badly supported in most clients which still use TOFU 
in this case and will complain at each renewal.
> A third possibility I think would be to use DANE and base validation on 
the DNS system, but I?ve not seen anyone advocating this, is there 
anything wrong with that idea?
> 
> I?m failing to see how TOFU can provide any security, especially if 
there is no way to announce a renewal by sending both new and old cert or 
something, there is a MITM possibility at each renewal. The only TOFU 
example I?ve seen cited is openssh, which seems offtopic because you 
usually do not ssh into random machine on the internet by following links 
like you do with Gemini.
> 
> C?me
> 
> 

Hi,

I suggested something on IRC a while ago, I'm not sure this would
be a good idea but I'll share it here.

Instead of TOFU, 2 mecanisms could be used:

1) Check chain of trust of the certificate, with let's encrypt and
other provider (they are not alone anymore) it's easy to get a valid
certificate

2) If 1 is invalid, let's (introduce something new here) check if
DNS doesn't have a TXT field with the certificate fingerprint and
see if it matches the current one, accept if OK

3) if 2 found a TXT that doesn't match, tell the user, if it matches,
accepts, if no TXT, TOFU?

The fingerprint published in DNS is already done for SSH fingerprint
using a SSHFP field. This allows to have a third party check. I
agree it's not absolutely perfect but, it gives the opportunity for
an extra check.

This wouldn't have any backward incompatibilities because it's up
to the client to implement it, if a person hosting a gemini server
doesn't want to host it, just do TOFU as usual.

Link to individual message.

3. Martin Keegan (martin (a) no.ucant.org)

On Sun, 28 Feb 2021, C?me Chilliet wrote:

> I?m failing to see how TOFU can provide any security, especially if

Does SSH provide any security?

Mk

-- 
Martin Keegan, @mk270, https://mk.ucant.org/

Link to individual message.

4. Solene Rapenne (solene (a) perso.pw)

On Sun, 28 Feb 2021 22:07:52 +0000 (GMT)
Martin Keegan <martin at no.ucant.org>:

> On Sun, 28 Feb 2021, C?me Chilliet wrote:
> 
> > I?m failing to see how TOFU can provide any security, especially if  
> 
> Does SSH provide any security?
> 
> Mk
> 

With ssh you can use https://en.wikipedia.org/wiki/SSHFP_record
to improve the security for first connection.

Link to individual message.

5. Matthew Ernisse (matt (a) going-flying.com)

On Sun, Feb 28, 2021 at 08:32:53PM +0100, Solene Rapenne said unto me:
> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

I think this is the perfect use of the TLSA record, instead of introducting
a new use of TXT.  It is already used by DANE to provide trust outside of
the CA structure.

--Matt

---
Matthew Ernisse
matt at going-flying.com
https://www.going-flying.com/

Link to individual message.

6. colecmac (a) protonmail.com (colecmac (a) protonmail.com)

> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

Unless your computer is using DoH or DoT (or DNSSEC?? Not sure) then your DNS
lookup isn't secure either. If your adversary can sit in between your traffic
and change a capsule's TLS certificate than I don't see why DNS would be very
different. Seems like this just adds complexity but without benefit.

makeworld

Link to individual message.

7. Sean Conner (sean (a) conman.org)

It was thus said that the Great Solene Rapenne once stated:
> On Sun, 28 Feb 2021 20:27:26 +0100
> C?me Chilliet <come at chilliet.eu>:
> 
> > I?m failing to see how TOFU can provide any security, especially if
> > there is no way to announce a renewal by sending both new and old cert
> > or something, there is a MITM possibility at each renewal. The only TOFU
> > example I?ve seen cited is openssh, which seems offtopic because you
> > usually do not ssh into random machine on the internet by following
> > links like you do with Gemini.
> 
> I suggested something on IRC a while ago, I'm not sure this would be a
> good idea but I'll share it here.
> 
> Instead of TOFU, 2 mecanisms could be used:
> 
> 1) Check chain of trust of the certificate, with let's encrypt and other
> provider (they are not alone anymore) it's easy to get a valid certificate

  The viability of this approach may depend upon the TLS library used.  I
use libtls, and I really only have two options:

	1. Do the whole CA thang and let the underlying TLS library validate
	   the certificate.

	2. Do no validatation whatsoever, leaving the validation up to the
	   client.

  To do this, I would have to disable validation entirely, and do it
manually, dipping into the nasty API that is OpenSSL.  I would have to check
other servers to see how they are handling this and if I could do the same
thing.

> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK
>
> 3) if 2 found a TXT that doesn't match, tell the user, if it matches,
> accepts, if no TXT, TOFU?

  The general problem with this is not the actual DNS RR used (TXT, SSHFP,
etc), it's making the DNS call itself.  If you haven't dived into the mess
that is DNS and resolving libriaries, it gets about as nasty as TLS with
about a half dozen libraries that aren't compatible at all.  POSIX systems
come with getaddrinfo(), but that only covers A and AAAA record types.  If
you want *any* other type of DNS record, you are pretty much forced to
either use one of the horrible DNS resolving libraries or roll your own.  I
would tout my own DNS library [1], but it's in C (and has a Lua wrapper for
it).

  I'm not saying this is a bad idea.  I'm just saying there are issues with
it ... 

  -spc

[1]	https://github.com/spc476/SPCDNS

Link to individual message.

8. Martin Keegan (martin (a) no.ucant.org)

On Sun, 28 Feb 2021, Solene Rapenne wrote:

>>> I?m failing to see how TOFU can provide any security, especially if
>>
>> Does SSH provide any security?
>
> With ssh you can use https://en.wikipedia.org/wiki/SSHFP_record
> to improve the security for first connection.

We are using two different definitions of "security".

SSH, even without SSHFP, still provides security. The question is what is 
the threat model.

Mk

-- 
Martin Keegan, @mk270, https://mk.ucant.org/

Link to individual message.

9. Petite Abeille (petite.abeille (a) gmail.com)



> On Mar 1, 2021, at 02:27, Matthew Ernisse <matt at going-flying.com> wrote:
> 
> perfect use of the TLSA record

Oh, yes:

https://www.cloudns.net/wiki/article/342/
https://tools.ietf.org/html/rfc6698

So many DNS records to keep track of :)

On the other hand, TXT records are the universal DNS bandaid: easy to use, multi-purpose.

?0?

Link to individual message.

10. Petite Abeille (petite.abeille (a) gmail.com)



> On Mar 1, 2021, at 02:48, colecmac at protonmail.com wrote:
> 
> DNSSEC

Yes, one still needs a chain of trust of some sort. Turtles all the way down.

?0?

Link to individual message.

11. Stephane Bortzmeyer (stephane (a) sources.org)

On Sun, Feb 28, 2021 at 08:27:26PM +0100,
 C?me Chilliet <come at chilliet.eu> wrote 
 a message of 32 lines which said:

> The certificate trust is one of the weak point of the current
> specification I think, and it would need to be clarified.

I agree with your statement. With the new issue tracking system that
Sean configured, this is ticket #5
<https://gitlab.com/gemini-specification/protocol/-/issues/5>.

> Secondly, there is the good old CA system, nowadays mostly using
> letsencrypt. It seems badly supported in most clients which still
> use TOFU in this case and will complain at each renewal.

More precisely, each renewal, BY DEFAULT. But Let's Encrypt lets you
request that we keep the public key, and then TOFU will still work iff
it acts on the public key only.

If you use the ACME client dehydrated, this is in the configuration file:

PRIVATE_KEY_RENEW="no"

With the ACME client certbot, this is an option on the command-line:

--reuse-key

> A third possibility I think would be to use DANE and base validation
> on the DNS system, but I?ve not seen anyone advocating this, is
> there anything wrong with that idea?

This is certainly the best solution, technically
speaking. Unfortunately, adding DANE support to your Gemini client
typically requires some effort, the existing libraries are typically
not sufficient. (Full disclosure: I did not even add DANE support to
my own Gemini client, despites the fact I'm strongly pro-DANE.)

Also, the Internet is very ossified by broken middleboxes (typically
firewalls but not only them) and TLSA requests may be blocked (or,
worse, any DNSSEC use, which DANE requires). This is something to keep
in mind.

> I?m failing to see how TOFU can provide any security, especially if
> there is no way to announce a renewal by sending both new and old
> cert or something, there is a MITM possibility at each renewal. The
> only TOFU example I?ve seen cited is openssh, which seems offtopic
> because you usually do not ssh into random machine on the internet
> by following links like you do with Gemini.

I fully agree. TOFU is great for SSH but Gemini is completely
different.

Link to individual message.

12. Stephane Bortzmeyer (stephane (a) sources.org)

On Mon, Mar 01, 2021 at 01:48:02AM +0000,
 colecmac at protonmail.com <colecmac at protonmail.com> wrote 
 a message of 13 lines which said:

> Unless your computer is using DoH or DoT (or DNSSEC?? Not sure) then
> your DNS lookup isn't secure either.

I fail to see the relationship with DoT and DoH. If you care about
integrity and authenticity of DNS answers, DNSSEC is the
solution. (This is why DANE requires it.)

Link to individual message.

13. Stephane Bortzmeyer (stephane (a) sources.org)

On Sun, Feb 28, 2021 at 10:07:02PM -0500,
 Sean Conner <sean at conman.org> wrote 
 a message of 56 lines which said:

> If you want *any* other type of DNS record, you are pretty much
> forced to either use one of the horrible DNS resolving libraries or
> roll your own.  I would tout my own DNS library [1], but it's in C
> (and has a Lua wrapper for it).

C programmers are lucky, there are two excellent free, documented,
maintained and complete libraries to do DNS requests, ldns
<https://www.nlnetlabs.nl/projects/ldns/> and getdns
<https://getdnsapi.net/>.

Python programmers have one, dnspython <https://www.dnspython.org/>.

Other languages? it depends. Last time I checked for Elixir, it was
not good.

Link to individual message.

14. Stephane Bortzmeyer (stephane (a) sources.org)

On Sun, Feb 28, 2021 at 11:16:47PM +0100,
 Solene Rapenne <solene at perso.pw> wrote 
 a message of 15 lines which said:

> With ssh you can use https://en.wikipedia.org/wiki/SSHFP_record
> to improve the security for first connection.

Or you can, if you care about the first connection, ask the sysadmin
about the public key to expect, and check it yourself. As C?me
Chilliet explained, that's the *huge* difference between SSH and
Gemini; with SSH, you typically connect to only a few servers and you
know their admins (and they know you).

Link to individual message.

15. cas (carsten (a) strotmann.de)

Hi,

> On 1. Mar 2021, at 10:26, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> On Sun, Feb 28, 2021 at 10:07:02PM -0500,
> Sean Conner <sean at conman.org> wrote 
> a message of 56 lines which said:
> 
>> If you want *any* other type of DNS record, you are pretty much
>> forced to either use one of the horrible DNS resolving libraries or
>> roll your own.  I would tout my own DNS library [1], but it's in C
>> (and has a Lua wrapper for it).
> 
> C programmers are lucky, there are two excellent free, documented,
> maintained and complete libraries to do DNS requests, ldns
> <https://www.nlnetlabs.nl/projects/ldns/> and getdns
> <https://getdnsapi.net/>.
> 
> Python programmers have one, dnspython <https://www.dnspython.org/>.
> 
> Other languages? it depends. Last time I checked for Elixir, it was
> not good.
> 

No need to do manual/extra DNS queries to verify certificates via DANE.

GnuTLS has DANE validation build in
<https://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html>

and OpenSSL has that as well
<https://www.openssl.org/docs/man1.1.0/man3/SSL_dane_enable.html>

Greetings

Carsten

Link to individual message.

16. CΓ΄me Chilliet (come (a) chilliet.eu)

Le lundi 1 mars 2021, 10:42:15 CET cas a ?crit :
> No need to do manual/extra DNS queries to verify certificates via DANE.
> 
> GnuTLS has DANE validation build in
> <https://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html>
> 
> and OpenSSL has that as well
> <https://www.openssl.org/docs/man1.1.0/man3/SSL_dane_enable.html>

This is great news, but on an other subthread Stephane said:
> This is certainly the best solution, technically
> speaking. Unfortunately, adding DANE support to your Gemini client
> typically requires some effort, the existing libraries are typically
> not sufficient. (Full disclosure: I did not even add DANE support to
> my own Gemini client, despites the fact I'm strongly pro-DANE.)

Who is right?

I would feel really comfortable building on a existing bloc like DANE as 
this way there is a lot more chance to see libraries supporting it than if 
we use something Gemini-specific.

C?me

Link to individual message.

17. Stephane Bortzmeyer (stephane (a) sources.org)

On Mon, Mar 01, 2021 at 11:44:06AM +0100,
 C?me Chilliet <come at chilliet.eu> wrote 
 a message of 25 lines which said:

> Who is right?

Both :-)

Programmers may not have a version of OpenSSL or GnuTLS recent enough,
or they may use another TLS library, or the binding to GnuTLS/OpenSSL
they use for their favorite programming language may not expose DANE
validation yet.

Link to individual message.

18. Petite Abeille (petite.abeille (a) gmail.com)



> On Mar 1, 2021, at 11:44, C?me Chilliet <come at chilliet.eu> wrote:
> 
> Who is right?

No one. Everyone. It depends.

It's self-inflicted as well, as Gemini insists on mandating TLS ? without 
having thought through how to actually use it, nor if it's even relevant 
to the protocol usage.

It's also dogmatic: not every contexts require TLS. 

It could as well be redundant: different contexts may already provide 
their own security layer(s).

It may also introduce build-in obsolescence: a few years ago, Gemini would 
have mandated SSL. What now?

There is an easy way out of this conundrum: move the mechanical details of 
how to connect to a Gemini service out of the specification.

Provide instead connection profiles, such as Protocol Labs' multiaddr or similar:

https://multiformats.io/multiaddr/

That way, the gory details on how to connect to a Gemini service (THE HOW) 
is separated from the Gemini specification itself (THE WHAT).

?0?

Link to individual message.

19. devel (a) datenbrei.de (devel (a) datenbrei.de)


Am 28.02.21 um 23:07 schrieb Martin Keegan:
> On Sun, 28 Feb 2021, C?me Chilliet wrote:
> 
>> I?m failing to see how TOFU can provide any security, especially if
> 
> Does SSH provide any security

In all of my life I used ssh to administer servers which had been my own 
or had been owned by the company I had been working on. So, if I set up 
a server from scratch I always did know exactly, why my ssh did warn me 
  about a mismatch.

Using servers of others gives a totally different situation. I don't 
know anything why or by whom a certificate had been changed. Anyways, if 
I gave trust to somebody the first time, why should I not trust him the 
next time? No matter for me if I'm just reading Gemini pages.

Martin

Link to individual message.

---

Previous Thread: Mastodon proxy for Gemini

Next Thread: [spec] ☿️ β€” a symbolic protocol