Re: Gopher over TLS

[Gene Michael Stover <gstover@gmail.com>]

Mateusz writes:

> Integrity does not imply encryption (of the payload).

True, but encryption is one way to detect tampering.

That said, x.509 certs address a specific problem, one that might not

be important to those who care about Gopher & other fringe ways of

using the Internet.  Placing Gopher sites on the onion network might

be more appropriate than using x.509 certs.

x.509 certs are intended to tie an online entity to an offline organization.

Doesn't seem like something that Gopher users & providers care about.

Onion sites provide pseudonymity to their clients (also privacy over the wire),

but don't attempt to tie a server with an organization.  Might be more

appropriate for Gopher.  It's also easy to setup, might require no modification

to many Gopher clients & servers.  (Someone wrote a blog post about  this

idea several years ago, but I'm unable to find it now.)

On Tue, Dec 7, 2021 at 12:49 AM Mateusz Viste <mateusz@viste.fr> wrote:

On 07/12/2021 00:40, Sean Conner wrote:
>> Why are we encrypting data that is published publicly?
>
>    It can be used to ensure that the data hasn't been modified on the way
> from the server to your client

Perhaps I am nitpicking, but this is not true. Integrity does not imply
encryption (of the payload).

The other thing is that all these gopher-over-TLS sites use either a
self-signed certificate or a x509 cert issued by a free CA. It is very
easy to substitute such server with a similar (modified) server simply
presenting a different certificate. The only valid approach would be for
you to meet with the author of the gopher site that you visit, so he
could provide you with his public key, and then you could validate that
the key hasn't changed each time you visit his gopher hole. But come
one, nobody cares. All this gopher-TLS venture is only a sick joke.

Mateusz