Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4

To: gopher-project@lists.alioth.debian.org
Subject: Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4
From: Cameron Kaiser <spectre@floodgap.com>
Date: Mon, 13 Feb 2017 19:08:08 -0800 (PST)
Message-id: <[🔎] 201702140308.v1E388hK8257738@floodgap.com>
Reply-to: Gopher Project Discussion <gopher-project@lists.alioth.debian.org>
In-reply-to: <[🔎] C134591F-2153-469A-8589-FAF92881E2CB@holviala.com> from Kim Holviala at "Feb 13, 17 09:30:57 am"

> Here the client caches the information (caps.txt really) that server:7070
> is TLS and every connection to server:7070 should be made using TLS.

What this really means is we need HSTS for Gopher, i.e., a site that was
detected to be gopher+TLS should never be downgraded, and optimally there
should be a preloaded list in gopher+TLS clients so that (like the S-T-S
header in HTTPS) there is less chance of a "first time caps.txt" attack,
which the simplicity of the protocol would make trivial to a wire attacker.

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser@floodgap.com
-- Put down your guns, it's Weasel Stomping Day! ------------------------------

_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project

Reply to:

References:
- Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4
  - From: Kim Holviala <kim@holviala.com>

Prev by Date: Re: [gopher] Gophernicus 2.4 "Millennium Edition" released
Next by Date: [gopher] Tor for Gopher
Previous by thread: Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4
Next by thread: Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
Index(es):
- Date
- Thread