Gemini server logging formats and practices

Dave Huseby dwh at vi.rs
Wed May 13 02:43:51 BST 2020

Previous message (by thread): Gemini server logging formats and practices
Next message (by thread): Gemini server logging formats and practices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, May 12, 2020, at 11:23 AM, solderpunk wrote:
> I am understanding of and sympathetic towards both admins who want to
> log IPs for debugging or abuse-detection purposes and towards those who
> don't want to so they can (rightfully) boast about their severs' respect
> for privacy.

Thanks. This is how the HTTP protocol conversation should have gone back in 1989.

> We could also define a half-way format, where a compact hash of the IP is
> logged, so that unique visitor statistics can be calcualted for those
> who want them, or e.g. malfunctioning bots can be spotted, but nothing.

I think it may help to consider that the IP address of a sender is personally identifiable information and is not the server operator's to collect without consent. Right now the only thing we can do is willfully blind our servers. Eventually though, if all goes according to plan, Gemini servers will be running on a mixnet of some kind and they won't be able to track IP addresses because the source isn't mapped to anything in the real world. Users will appear to the server as first time users on every request. The only balance to be struck will be if the user offers a correlation identifier to the server for some reason, say to access some stored state they have on the server (e.g. their own plant in the cyber garden or whatever).

Accessing permissioned resources (i.e. 6X response codes) doesn't necessarily imply correlation of the user. Certainly the user can present the same cryptographic credentials on subsequent requests but a better design is to allow for pair-wise credentials that are ephemeral to each session and potentially ephemeral to each request. Currently TLS doesn’t allow for this mode of operation. Something like CurveCP with decentralized verifiable credentials is a superior solution for uncorrelatable confidentiality. 

Anyway, back to logging. I don't think it is our place as server operators to collect IP addresses without consent since it isn't our data. It is an unfortunate legacy of the existing IP network layer that will hopefully be overcome soon. I think the hashing of IP addresses for correlation is fine but I think it is fair to expect all server operators to notify their users that they are doing so.

I may sound extreme but if we want to make the internet better, our thinking has to first shift. 

Cheers!
Dave

Previous message (by thread): Gemini server logging formats and practices
Next message (by thread): Gemini server logging formats and practices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list