If you’re a server author, here are some issues you need to consider.
“We should also go through the HTTP 1.0 and 1.1 RFCs and read through the security considerations sections.” – nytpu on #gemini
If you serves local files, and you get the filename from the URL, then you need to make sure that you normalize your URL and check whether the destination is something you actually want to serve. Consider this:
gemini://transjovian.org/static/../key.pem
If you simply take everything after static/ and use it as a filename and hope that it refers to a file in the “static” directory, then the URL above might allow people to download important files your server has access to – your certificate and key files, or a user database, or log files, for example.
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
Path Traversal, by Open Web Application Security Project (OWASP)
If you allow code to run on your server, do you audit it yourself, or do you enforce limits using suexec or the like? A CGI script might have access to everything the server has access to. Including configuration and certificates.
If you want to use client certificates, you’ve had to setup your server to both request client certificates from clients, and you’ve had to disable some of the verificatino of these client certificates. They’re going to be self-signed, for one. But remember no to disable all the checks! You still want to check for expiration, for example. If you use the common name (CN) as a user identifier, make sure you’re not using it for a filename without checking for path traversal issues (see above).
You need to prevent an attacker from filling up your disk with a gazillion files.
You need to prevent an attacker from tying up your server with endless uploads: if it takes forever, one of your worker threads is blocked; if keeps sending more and more bytes without end, it fills up your RAM or your memory, depending on where you store what you get.
If you allow the upload and download of arbitrary MIME types, you’re offloading some responsibility to client authors. What if visitors get served malware?
Gemspace is full of badly written bots. There’s a status you can use to tell people to slow down (status code 44). Use it.
Therefore, either make sure your server only serves a number of static files so that it can handle the bots, or hide the dynamic parts of your site behind a client certificate requirement, or block bots.
Gemspace has a few sites where people can sign up for hosting space, for free, automatically. One such space is Gemlog Blue. But when you check the member names, you’ll find names such as EIcPUfDK, EJy6uKwi, EhiTxEuZ, F4d7chEV, FCVtOHV1, and on and on. When you follow the links, they have a single page, and from there, they have a single link pointing elsewhere on the web. It’s link spam, done to increase the page rank of some other page. You might think that this can’t work, since these capsules are only available from Gemini, and you’d be wrong.
First, many of the hosting sites are accessible to proxies, and not all the proxies make an effort to prevent web crawlers from indexing the Gemini pages they are proxying. This is how they are turn into targets.
Second, many bots are already crawling gemspace, some of them badly written, building up indexes of who links to whom. Should Gemini ever take off, somebody is going to write a search engine that incorporates page rank and we’re going to return to the Google web, with everybody using the search engine (as it is genuinely useful) and therefore enabling a platform where ads can be placed, which makes page rank important, which in turn makes targets of all the free hosting sites.
The key is to have non-automation somewhere in the chain. @m15o@fosstodon.org says:
I added a key system to fight against spam: anyone can still join ichi, but to do so, you'll need a key that you can get by sending me an email or buying it for $5. It's a system I've used on smol.pub and helps prevent the spam.