* * * * *

           You could add crypto to gopher, but I think it's a hack

I received the following email today:

> From: Trevor Clarke <XXXXXXXXXXXXXXXXXX>
> To: [email protected]
> Subject: Secure gopher comment
> Date: Tue, 28 Sep 2021 16:21:10 -0400
>
> I just read your post http://boston.conman.org/2019/03/31.1 [1]
>
> About the difficultly of adding TLS (Transport Layer Security) to gopher. I
> don't think it's as bleak as you suggest. A client supporting secure gopher
> simply sends a TLS client hello packet when first connecting to the server.
> If it receives nothing or receives something that is not a valid server
> hello it drops the connection and switches to regular gopher for that
> server. To minimize the number of failed attempts the client can cache the
> type of server during a session or persist the status for a period of time
> before trying again.
>

As I wrote back, this is already being done by clients as can be seen from my
gopher logs:

-----[ data ]-----
Sep 28 09:10:44 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 09:10:44 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Gopher:Src:port70/handlers/" bytes=505
Sep 28 16:44:41 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 16:44:41 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Phlog:2004" bytes=533
Sep 28 18:04:43 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=false request="223120101…" bytes=82
Sep 28 18:04:43 daemon info 71.19.142.20 gopher remote=XXXXXX.1.36 status=true request="Bible:" bytes=10647
-----[ END OF LINE ]-----

There's also a trick that servers can do to “seamlessly” support TLS—peek at
the initial packet for the start of a TLS connection, and if it doesn't
match, then fall back to the normal TCP (Transmission Control Protocol)
routine. There's also the posibility of a downgrade attack to prevent the
client from successfully using TLS.

I'm not a fan of either of these approaches. On the client side, it makes
(potentially annoying) extra requests that for the most part, will be a waste
of time as not many gopher servers (to my knowledge) support TLS. And on the
server side, it's a hack to peek the initial packet of data (it can be done
on some systems, but I don't know if all TCP stacks support peeking at the
data before reading the data).

I also mentioned that one of the major complaints about the Gemini protocol
[2], a somewhat reimagining of gopher but with mandatory TLS, is its use of
TLS. Go figure—there are people who want to add TLS to gopher, and people who
want to remove TLS from Gemini.

[1] http://boston.conman.org/2019/03/31.1
[2] https://gemini.circumlunar.space/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.