Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]

To: Gopher-Project <gopher-project@lists.alioth.debian.org>
Subject: Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
From: Kim Holviala <kim@holviala.com>
Date: Mon, 6 Feb 2017 14:40:00 +0200
Message-id: <[🔎] BDC62F55-DDDE-4636-86AE-0FC6F66B3A96@holviala.com>
Reply-to: Gopher Project Discussion <gopher-project@lists.alioth.debian.org>
In-reply-to: <[🔎] ec09479b-a619-4c50-5e59-22350c8e9adb@r-36.net>
References: <[🔎] 201702041011.v14ABcjk10813568@floodgap.com> <[🔎] F5C9CFB2-112C-4825-B9DE-DD51A9E44BED@holviala.com> <[🔎] CALGqR9LkhpKOMW93e5NoZ+jix1YKbpPyxYGWsO1gWik6MYSkvw@mail.gmail.com> <E1cadBY-00056I-4B@moszumanska.debian.org> <E1cadHt-0007NO-JQ@moszumanska.debian.org> <[🔎] CAJvjBNaXfEVYrvetsFjto8NR+SNP6y9AmX4YmphgK+7bZGRgkg@mail.gmail.com> <[🔎] ec09479b-a619-4c50-5e59-22350c8e9adb@r-36.net>

On 06 Feb 2017, at 14:08, Christoph Lohmann <20h@r-36.net> wrote:
> 
> For the daemon situation we could go with the time: Listen for the first
> bytes and if it's a TLS handshake, go with TLS.

There is an existing standard for something like that and it's called STARTTLS. The problem with STARTTLS is that if no TLS handshake (or STARTTLS command) happens the connection is done without encryption in a way that does not notify the end-user. In other words, it's still possible to do MITM.

> You are already doing
> this hack for the proxy thing by checking for a special string, which is
> according to the gopher rfc invalid and could be a valid selector.

Thanks for noticing that - there's now a new option in Gophernicus (git repo version) to disable the proxy protocol completely.

> For the client side I propose the mentioned »gophers://« syntax, which
> tells the clients to try TLS on port 70. If it fails (handshake won't be
> answered right), retry unencrypted.

No, never do that. If a client wants TLS then the connection should never be downgraded to an unencrypted one *silently*.

> And something else I thought about is headers or extensions: A selector
> has to end in \r\n. Why don't we put extensions between \r and \n?

Because it breaks some clients. Trust me, I tried to do extensions to the Gopher protocol a few years ago but eventually had to scrap all of my code because it would always break something, somewhere.

Better way is to mess with the port number in menus:

0About this project     /about.txt      gophernicus.org 70
0About this project     /about.txt      gophernicus.org TLS:7070

But I'm quite certain some clients completely break down when handed a menu like that.

Anyway - I'm open for suggestions and will try to implement them in Gophernicus. The current TLS/SSL "implementation" was super simple and didn't break anything so I will be leaving that in - but it's only half a solution without a proper way to link to TLS-enabled gopher sites.

- Kim

_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project

Reply to:

Follow-Ups:
- Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
  - From: Driedfruit <driedfruit@mindloop.net>

References:
- Re: [gopher] Gophernicus 2.4 "Millennium Edition" released
  - From: Cameron Kaiser <spectre@floodgap.com>
- Re: [gopher] Gophernicus 2.4 "Millennium Edition" released
  - From: Kim Holviala <kim@holviala.com>
- Re: [gopher] Gophernicus 2.4 "Millennium Edition" released
  - From: James Mills <prologic@shortcircuit.net.au>
- Re: [gopher] Gophernicus 2.4 "Millennium Edition" released
  - From: Wolfgang Faust <wolfgangmcq@gmail.com>
- [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
  - From: Christoph Lohmann <20h@r-36.net>

Prev by Date: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
Next by Date: Re: [gopher] Good news: OverbiteFF isn't dead yet
Previous by thread: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
Next by thread: Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
Index(es):
- Date
- Thread