[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of Gopher and TLS?

It was thus said that the Great Mateusz Viste once stated:
> On 25/10/2022 14:44, Josuah Demangeon wrote:
> >I think it was added because the trick to allow TLS on same port (peek at
> >the first byte before really reading it) was simple and easy to implement
> >server-side and has no consequence client-side (not breaking TCP-only).
> Could also crash a fragile - yet conforming - server implementation that 
> is not expecting to receive binary garbage from a client, or at least 
> pollute the server's logs with weird, possibly unreadable entries.

  You don't need TLS for that.  The modern Internet is a very unforgiving
place.  Over the past month, my gopher server [1][2] has received 12
requests that fit your criteria, and they aren't all TLS (only 4).  From my
logs (sans TLS requests):

\0\0\0XXSMBr\0\0\0\0\8\1@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\6\0\0\1\0\0X\0\2PC NETWORK PROGRAM 1.0\0\2MICROSOFT NETWORKS 1.03\0\2MICROSOFT NETWORKS 3.0\0\2LANMAN1.0\0\2LM1.2X002\0\2Samba\0\2NT LANMAN
\3\0\0,'X\0\0\0\0\0Cookie: mstshash=eltons

  If anything, the TLS attepts  have gone down over the past year.  The only
time I ever found it seriously annoying was one gopher bot (similar to a
web bot) making a TLS request for every request instead of caching the
non-TLS result.

> >And gopher with TLS still need some strateg for trusting certificates.
> >
> >Maybe trust on first use is good? A bit like SSH?

  That's a major criticism of Gemini (besides the other one, which is to
remove TLS completely [3], which I find funny because TLS was the sole
reason it came about---as a gopher like protocol over TLS).

> Use some other tunneling instead of TLS, then. But in any case, do not 
> call the resulting thing "Gopher", and do not hijack a TCP port that 
> have been in use since 30 years...

  Agree, and it's known as Gemini.


[1]	gopher://gopher.conman.org/

[2]	Using my own gopher server software:

[3]	There are two camps here---the first one that thinks TLS is not
	necessary at all, too complex and therefore, should be removed; and
	the second camp, which finds TLS too complex and therefore, it
	should be replaced with a bespoke encryption scheme they saw
	somewhere that is "simple" but yet no implementations exist.

Reply to: