THE BEST THING ABOUT GOPHER IS THAT IT'S UNENCRYPTED

Time for something controversial. Actually most of my entries are
controversial, it's just that I doubt anybody reading really cares
that much about their topics. But this one's about internet
protocols, and an opinion on them is basically a prerequisite for
browsing Gopher today in the first place.

Now this is basically a reaction to Gemini. I don't object to
Gemini's existance, but I wouldn't use it. That is partly because I
don't want any more than the Gopher protocol already provides.
Beyond read-only sites with strictly structured content navigation
and no embedded images, HTML/HTTP provides a wide world of forms,
session tracking, and unsolicited multi-megabyte image downloads.
You know it's there, you know it can be set up without using
client-side scripting or cross-site tracking. You know of countless
websites that _do_ work in a text-only browser. Your only problem
is that it allowed for trends in web design that you strongly
dislike to become commonplace.

Well one trend the web has taken that _I_ dislike is HTTPS
redirects for read-only access. That is: requiring encryption when
one is not submitting private information. Gemini requires
encrypted connections for everything, so I don't like it.

You're probably not convinced. Maybe you think that I don't
understand all of the advantages of encrypted connections. Or maybe
you just think I'm grumpy about encryption because I can't get a
new version of OpenSSH compiled on this PC so that I can connect
easily to aussies.space and submit this post, and on that you're
not that far wrong (though on that alone I'd just as well be
complaining about the bloody configure script refusing to find the
specified OpenSSL directory whenever there are any files in it!).

I get that someone intercepting the packets can work out which
pages you're viewing on a site. But if you're really concerned
about that then remember that which site you're viewing, and in
what pattern, are often revealed by the IP adresses regardless of
encryption anyway, unless you use a VPN/TOR (where you still have
to trust that the service providers aren't infiltrated by some
nation's security service). Say you're browsing with an encrypted
Gopher protocol: your first connection is to one of the phlog
aggregator pages, then you check through the recently updated
phlogs that you like. Someone watching the IP addresses that you
connect to (eg. at your ISP) would see that your first connection
was to a server running a phlog aggregator (ammounting to the
majority of its traffic), followed by a sequence of two connections
to various other servers corresponding to new links in the phlog
list. Do this enough, and they know what phlogs you folow, and
therefore what phlog posts you read (further helped by analysing
how long you spend reading posts - equating to time between new
connections).

American company Cloudflare have an answer along the lines of "make
all servers connect to users via us so that they're all using our
IP addresses instead of one corresponding to each server". Very
convenient for them that they then get to control access to every
server on the internet, and also without any protection against
security services getting their hooks into Cloudflare just like
they might with ISPs.

So just encrypting your read-only access to a server with the aim
of blindfolding a suspected big brother is a half-arsed measure at
best[1]. Nothing wrong with having the option of course, but not
worth forcing everyone to do it with HTTP to HTTPS redirects, or
protocols only supporting encrypted connections, and thereby making
the corresponding sacrifices.

What sacrifices? Very significant ones actually, for individuals
respecting the promise of a light and frugle internet.

Encryption has an expiry date. As technology and cryptographic
research progresses, old systems inevitably become insecure. To be
of use not just for the anyway unreliable obscuration of your
habits when downloading public content, but also for the more
important job of protecting passwords and other private information
sent over the internet, software must be continuously and endlessly
upgraded.

What then if developers fail to keep upgrading this software? It
cannot be used. If none support software fr a particular platform,
then that platform becomes unusable. If that means you have to buy
a new device or use software that you don't like, though luck. If
you can't afford a new device or there isn't suitable alternative
software, tough luck. If you want to write internet software
yourself but can't commit the time to routinely adapt to changes in
the encryption libraries, tough luck.

At the same time, the efficiency of encryption will always get
worse, as more processing power is always required to encrypt data
so that newer, more powerful, computers used to break that
encryption can never catch up. So older computers will need to be
upgraded just so that they are powerful enough to handle the more
resource-intensive encryption, even when they could otherwise have
been used yet for decades (yes decades, I'm coming to you from a
25yo PC). Hardware-based encryption built into CPUs allows them to
perform better with the cyphers used when they're made, but cannot
be upgraded for systems that will be used in the future. The
encryption-cracking possibilities of quantum computers threatens to
cause demand for a new suite of post-quantum cryptographic
technologies, custom hardware for which is already being developed.
When that becomes the new standard and integraded into new
hardware, old CPUs will be forced back to using slow software-only
encryption and may become unusuable. If, of course, this hasn't
already happened by progression of conventional encryption
technology.

What I LOVE about Gopher is that I can still use the original
University of Minnesota "Internet Gopher Information Client" to
browse all of it[2], even though nobody has touched the code in the
official release for over a decade. Plus I can use it without
requiring a fast modern computer in order to take the load of
modern encryption libraries. When I first discovered Gopher many
years ago and wanted to see what a Gopher client was really like
(not within Firefox's then still built-in support), I used a long
since unmaintained closed-source gopher client on Windows XP (got
to hand it to M$, backwards compatibility did work well sometimes).
That would never have still worked if the protocol demanded
encryption and therefore needed software to be updated every few
years to keep pace.

Compare that to the web, for which a lot of more obscure
open-source browsers have recently become unusable because they
weren't updated to be built against OpenSSL 1.1. Furthermore,
obscure unmaintained closed-source browsers on Windows, and also
those for proprietary systems like old mobile phones, have been
unusuable for many years because their encryption libraries
couldn't be updated this far.

By removing the option of unencrypted connections for accessing
public read-only content, server admins, and protocol designers,
are shrinking the choice available to users over what software they
use, and the range of hardware available to run it. They are
putting an expiry date on both the software and the computers their
users run it on.

I don't propose that users should be permitted to mistakenly send
passwords, credit card details, or any other private info into over
the internet unencrypted, or using insecure protocols. But for the
case of public read-only access, where no such private information
is submitted, as is the case for so much of the web that _I_ use,
and all of Gopher (which by lack of session tracking, forms, or
client-side scripting, pretty much precludes other applications
anyway), encrypted connections are not essential. They are in fact
not even widely effective when used in isolation for the benefit of
privacy. As a choice, they are as welcome as the choice to use
Gopher instead of the web. But as a rule, they are a gatekeeper to
the internet forbidding entry to those who'se preferences or
finances precluded an upgrade before the expiry date was up.

- The Free Thinker

[1] Another cause given for using encryption for read-only access
to public info is that it prevents someone from modifying the
content before it gets to you. This is a valid concern for users
who may be silly enough to enter personal details into a fake page
injected by a scammer. Though if there's no cause for the page to
ask for such information, then a user going ahead and providing it
would just as easily be scammed over an encrypted connection by
sites that genuninely are run by scammers themselves. Such users'
problems are only properly solved by improving their own education
about internet usage. Such an attempt wouldn't be very convincing
on Gopher anyway given its limitations and usual applications.

Also, evil overlords could subtly modify the content to secretly
manipulate us. I don't think anyone is manipulating phlog posts in
order to control the Gopher-reading population, so I don't care
about this with my own usage. You make up your own mind.

[2] With the exception of some pages where people try to cheat and
use gophermaps instead of text files so that they can have
HTML-like in-page links. But that's just abuse of Gopher attempt at
a structured, yet still customisable, navigation system unlike
HTML's handing of a link shotgun to web designers with which they
can then shoot themselves in the foot.

You are viewing proxied material from aussies.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.