[gopher] Tor for Gopher
Bradley D. Thornton
Bradley at NorthTech.US
Wed Mar 1 07:15:54 UTC 2017
On 2/13/2017 9:47 PM, Christoph Lohmann wrote:
> Greetings comrades.
>
> This ugly discussion of how to add TLS to gopher has lead to all kind of
> extension proposals which look so ugly I wouldn’t want to implement
> them. The CA system is broken and will not lead to any security. Do you
> really trust Let’s Encrypt, when they issue certificates for everyone? I
> don’t.
Not to go off topic on you Christoph, but separate to the issue of why
you started this discussion, *yes*, I *do* trust LE... and I'll tell you
why.
SSL (TLS) has NEVER been about doing business with or even being able
to verify that you are communicating with *who* you presume to be
communicating with at the end point. There have been all sorts of
schemes to charge people more and more money just to have kewl looking
real estate take up additional space in the address bar of a browser for
the sake of the exclusive right to pay more money for such a nonsensical
graphic in a browser or some stupid seal on a site that says you paid a
bunch of money to ensure that traffic and communications between your
site is secured with *some* level of encryption.
That having been said, SSL, for lack of a better term, ensures *only*
that there is an encrypted session between you, the user running the
browser, and the site that you have connected with, thereby providing
some measure of confidence that there's not some MitM sniffing out your
banking password or snatching up your cookies with Firesheep so that
goombah sitting over there in the corner of the coffee house can post
embarrassing things to your friends on faceplant that seemingly were
from you.
The notion that verisign, thawte, geotrust, or any of the other players
out there can actually verify that the cert was even issued to the party
to whom is listed on the cert is total bullshit - I've created lots of
certs for customers in the past and myself too and then guffawed myself
right out of my chair because I realized that I circumvented their
verification processes by virtue of having to have a cert ready and in
place before the start of business for my client on the following day,
without being afforded the luxury of having my client do their due
dilligence in setting up for the verification process themselves.
Therefore, whereas, heretofor, and other lawyerisms aside...
1.) SSL verifies that you have an encrypted connection with a website
(which may have been compromised anyway, already).
2.) SSL never has fully been able to guarantee that the cert was issued
to the party to whom is listed on the cert.
3.) SSL has at several points in the past been compromised, most
recently by virtue of issues in OpenSSL, that left huge holes in the
security of cPanel and Plesk managed hosting instances because CentOS
didn't push, or the hosting provider didn't push, the patches to shore
up those holes.
SSL ensures that you have an encrypted connection, and I am a proponent
of the notion that all HTTP traffic should take advantage of this,
especially in light of the fact that search engines now routinely index
secure content, and SNI is the way of the name based virtual hosting in
the connnectionless oriented browsing environment.
If everyone would just once and for all realize that SSL never has
verified that you are talking to who the cert says you're talking to,
and only that you are talking to an end point via and encrypted session,
there would be much less hype over whether everyone should be able to
have encrypted communications for free.
You might be of a different opinion - you might believe that the *who*
can be guaranteed, but it cannot. The only thing that can be guaranteed
is that the conversation is encrypted, and that being enough to
safeguard most communications, it should be free and LE is doing a fine
job of breaking the backs of those who have exploited and defrauded the
public for waaaaayyyy too long (i.e., verisign).
So would it be better to just use self-signed certs? But of course it
would, because the expectation of identity would be obviously not be
part of the secure nature of the connection, but we're talking about a
public that just doesn't get it, so you need someone like LE to give
them some semblance of confidence that the crooks at the bank have been
gouging the consumer for over the last couple of decades.
Gawd when I get on that soapbox! No offense Christoph, I'm just
diatribing out on what you already know to be the case technically,
although you may have a different opinion than mine philosophically,
although I know you to be a bit of a paranoid so I was surprised at your
exclamation lolz.
I've never been a fan of anonymity either, although that's a different
matter and my patience has been duly tested with all of the farming
implements used by assholes like faceplant and google and other big (and
not so big) data miners.
Kindest regards,
Bradley
>
> That is the reason why I am proposing a simpler migration strategy: Let
> us move all gopherholes to tor. Running a hidden service requires no
> modification except for changing the internal links to the onion domain.
> I do that at bitreich.org[0][1] by having a hidden service pointing to
> port 70 but the redirect in the configuration is to a different port
> which has geomyidae running with the argument ‐h hg6vgqziawt5s4dj.onion.
> All menu entries in gph files pointing to »server« will be replaced with
> that and you are kept in the tor network.
>
> For clients it is simply: torify lynx gopher://hg6vgqziawt5s4dj.onion
>
> I have started collecting onion gopherholes [2].
>
> What we get: Security (hash in onion domain), anonymity (tor network),
> moral superiority by supporting tor and their efforts
>
>
> Sincerely,
>
> Christoph Lohmann
>
> [0] gopher://bitreich.org
> [1] gopher://hg6vgqziawt5s4dj.onion
> [2] gopher://hg6vgqziawt5s4dj.onion/1/lawn/onion
>
>
> _______________________________________________
> Gopher-Project mailing list
> Gopher-Project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the Gopher-Project
mailing list