[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Gopher over TLS

For better or worse, there's a tradition that every port number > 100000 is a TLS port (and you have to subtract 100000 from the port number to get the real port number!). So that if I wanted to serve gopher-TLS on port 473, I would actually advertise it as port 100473.

I would strong advise against using anything other than TLS for the crypto: it's a well-known protocol with solid implementations on all platforms.  On a more personal note, it's also super easy to use via the Window UWP networking API: starting with a socket, you jut tell it to be secure, and it does the TLS stull 

I would extra recommend against any protocol that doesn't include crypto-agility: what we know of crypto algorithms is that they get broken constantly. I work at Microsoft and get to see some of the inner workings of the network security team; they do a lot of work to make sure that the protocols available aren't the ones that have been broken.

Lastly: if you're a gopher server, please consider making sure that you support TLS 1.2 on your server! TLS 1.0 is absolutely going to be broken in the future; we should be prepared to shut it off.

Peter

On Saturday, March 14, 2020, 05:28:06 AM PDT, James Tomasino <tomasino@sdf.org> wrote:


On 3/14/20 11:18 AM, Emil Engler wrote:

> Hi, I thought about writing a standard for a secure Gopher protocol
> (short gophers).
> Have there been any proposals for this yet and what's the general
> consensus about this on this ML


There are some implementations in place. Solderpunk's vf-1 has TLS
support (called Battle Mode). Jan is adding TLS support to ncgopher as
well. The big question becomes how it's served.

gopher://cosmic.voyage serves TLS on port 7070. Previous discussions had
some people suggesting port 7443, 7000, or 71. A server that serves over
port 70 is likely to break things for non TLS clients.

I phlogged about an easy way to set up TLS support with gophernicus and
stunnel last year:

gopher://gopher.black/1/phlog/20190120-gophernicus-tls-howto

And I just posted an update about it today when I realized things were
breaking due to lets encrypt:

gopher://gopher.black/1/phlog/20200314-tls-on-gopher-update

As a side note, I've decided instead to run tor hidden services on
gopher.black and tilde.black rather than setting up gopher over TLS. It
gives me end-to-end encryption, offers readers some anonymity, and adds
to the overall usage of tor which is a net plus. I have my how-to guides
on that on the phlog as well.


Reply to: