Re: Gopher TLS support in curl

To: Cameron Kaiser <spectre@floodgap.com>
Cc: gopher-project@other.debian.org
Subject: Re: Gopher TLS support in curl
From: John Goerzen <jgoerzen@complete.org>
Date: Mon, 21 Dec 2020 22:04:01 -0600
Message-id: <[🔎] 87sg7yqyfi.fsf@complete.org>
In-reply-to: <[🔎] 202012212250.0BLMoxDk17170616@floodgap.com>
References: <[🔎] 87v9cv5a86.fsf@complete.org> <[🔎] 202012212250.0BLMoxDk17170616@floodgap.com>


On Mon, Dec 21 2020, Cameron Kaiser wrote:

That is a FANTASTIC trick!  Actually it could be expanded to
simply do plaintext for a non-TLS-capable client.  I personally
would prefer that, if only because I still want to use UMNgopherclient sometimes. There is something about its lovely 90sfeel...
I still don't understand how this can be protected againstdowngradeattacks. A malicious MITM could simply ensure that the TLStrigger bytewas never communicated (race the packet, etc.) and both clientand server
would then assume the connection isn't TLS.

Not a high risk, but if the end goal is security ...

True, true... And we don't really have a way to do HSTS, not thatwe'd want to. But then how could one ever migrate otherwise? Imean, you couldn't just move floodgap.com to TLS without breakinga bunch of links out there, right?

One starts to wonder if Tor onion services might make an easiertarget here...


John

Reply to:

References:
- Re: Gopher TLS support in curl
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Gopher TLS support in curl
  - From: Cameron Kaiser <spectre@floodgap.com>

Prev by Date: Re: Gopher TLS support in curl
Next by Date: Re: Gopher TLS support in curl
Previous by thread: Re: Gopher TLS support in curl
Next by thread: Re: Gopher TLS support in curl
Index(es):
- Date
- Thread