[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS in Gopher

On Tue, Feb 27, 2018 at 7:08 PM, Christoph Lohmann <20h@r-36.net> wrote:
Ideal way:

        C->S: STARTTLS\r\n
        S->C: <TLS begins on both sides>
        C->S(in TLS): selector[\tsearch]\r\n
        S->C(in TLS): answer


The only drawback I see is that this complicates connecting somewhat. How good will library support be for this? Looking at Python 3.6, for example, it's trivial to use SSL but needs some more coding to get STARTTLS right.https://docs.python.org/3.6/library/ssl.html
https://docs.python.org/3.6/library/ssl.html

gnutls-cli has a --starttls option, but I'd have to see it in action.
http://man7.org/linux/man-pages/man1/gnutls-cli.1.html

Sadly, faulty implementations have led to protocol downgrade attacks.
https://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks#10495

I  proposed  to  make  every selector beginning with a char of uppercase
ASCII (A‐Z) to be a special case. This will permit following  historical
compatibility:

* Servers allowing HTTP transparent serving.
* Maybe allow things like haproxy to work for gopher servers.


I don't quite understand this. Is this because you assume that all selectors start with a slash?
What about the following? Would it no longer work?

echo Alex_Schroeder | nc alexschroeder.ch 70

 

## Why no separate port?
* We need to define some way in menus for TLS entries.
* It will require not just an upgrade of clients and servers.
* It will require gophers:// to be defined and introduced.


I personally find this easy to deal with. The default is simply that old clients cannot follow links to TLS enabled servers and new clients need a way to enable some sort of TLS mode in which they expect all menus to be encrypted. As long as you read documents on the same server, no problem. When you follow links, clients will get errors when they're in the wrong mode and can try and recover on their own, if they want to, hopefully only upgrading to TLS mode and never downgrading. When I added this to VF1, I noticed no significant usability degradation.

Depending  on  the input I will start implementing this in geomyidae and
sacc and write the RFC.


More code is always good!

Cheers
Alex

Reply to: