Announcing kwiecien.us

[plugd]

Hi Ben,

Ben writes:
> I'm having an issue with elpher where it asks me to approve the site's
> SSL cert because it says something like the issuer not being
> recognized... well that can't be right, so either I set up Jetforce a
> little bit wrong (specified the wrong files?), or this is some issue
> with elpher, which I noticed complains about the certs of most Gemini
> sites. My issuer is LetsEncrypt, which should be fine.

Elpher just relies on Emacs' default Network Security Manager behaviour,
as described in the manual:
https://www.gnu.org/software/emacs/manual/html_node/emacs/Network-Security.html.
I'm not sure why this is claiming your cert is invalid.  I'll look into
it, but I suspect the issue will be upstream from elpher.

That aside, elpher (or rather the NSM) does tend to raise warnings about every new gemini
site you visit since it's common to use self-signed certificates.  While
the spec-spec suggests a trust-on-first-use behaviour, this doesn't seem
to be possible with the NSM. This exposes three security levels: "low",
which doesn't do any security checks, "medium", which is the default
level and is what you're experiencing, and "high", which is even more stringent.

Thus I've had to choose between no certificate validation at all and the
current system.  Seeing as (a) the number of gemini sites has (until
recently) been extremely small, (b) emacs remembers accepted
self-signed/invalid certificates and doesn't ask again, and (c) at least
one person has expressed a preference for more security rather than
less, I've stuck with the "medium" setting.  However, I suspect I'm
going to have to reconsider this stance the near future due to the
amazing number of new gemini hosts appearing.

Cheers,

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200515/91dce597/attachment.sig>