Re: State of Gopher and TLS?
On Wed, 2022-10-26 at 12:16 -0400, Sean Conner wrote:
> It was thus said that the Great Mateusz Viste once stated:
> > On 25/10/2022 14:44, Josuah Demangeon wrote:
> > > And gopher with TLS still need some strateg for trusting
> > > certificates.
> > >
> > > Maybe trust on first use is good? A bit like SSH?
> That's a major criticism of Gemini (besides the other one, which is
> to remove TLS completely , which I find funny because TLS was the
> sole reason it came about---as a gopher like protocol over TLS).<br>
This is true. Gemini stems from this very conversation and it's my
logical conclusion to the gopher + TLS conversation. We have both.
Embrace whichever gives you joy.
In regards to TLS certificate authorities and Gemini's decision to go
with TOFU, it makes sense for that project's goals and the extremely
limited threat profile. That being said, DANE/TLSA actually solves it,
allowing self signed certs an out-of-bounds validation via DNSSEC. I'm
running it on cosmic.voyage's gemini side if anyone wants to poke at
it. As DNSSEC continues to gain popularity I expect it to be more
common. Clients need to add some logic in to do the validation when
detecting a new certificate, but that's it.
Back to gopher, though. Gopher is a wonderful place. As I said in my
recent talk at MCH, it's not wide but it's deep. There's so much
content to be found plumbing the depths of those ~300 servers, and its
embracing of such a simplistic protocol opens doors to vintage hardware
that's worth more than the trade-offs of adding TLS.
And a final note to complicate things even more... if you want gopher
as-is, but want to ALSO provide a secure channel for transmission, just
run a second daemon on tor. :)