[gopher] TLS situation in gopher [was: Re: Gophernicus 2.4
Cameron Kaiser
spectre at floodgap.com
Tue Feb 14 03:08:08 UTC 2017
> Here the client caches the information (caps.txt really) that server:7070
> is TLS and every connection to server:7070 should be made using TLS.
What this really means is we need HSTS for Gopher, i.e., a site that was
detected to be gopher+TLS should never be downgraded, and optimally there
should be a preloaded list in gopher+TLS clients so that (like the S-T-S
header in HTTPS) there is less chance of a "first time caps.txt" attack,
which the simplicity of the protocol would make trivial to a wire attacker.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser at floodgap.com
-- Put down your guns, it's Weasel Stomping Day! ------------------------------
More information about the Gopher-Project
mailing list