CSRF in Gemini

solderpunk solderpunk at SDF.ORG
Mon Jun 15 15:30:07 BST 2020

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 15, 2020 at 04:09:47PM +0200, Francesco Gazzetta wrote:
 
> I'm starting this thread to brainstorm ideas about the last point.

Thanks for getting this conversation started!

It's perhaps a little bit tedious for users, but the simplest solution I
can think of for things like this is a convention that all requests
which trigger side-effects (like comments, etc.) must be made with a
client certificate, because that will make it very clear to the user
that something is happening and no surprises are possible.

I strongly suspect that completely preventing this kind of thing will be
impossible if we simultaneously insist on a simple protocol and a
frictionless user experience - in which case, everybody knows which one
will be prioritised. :)  But if we can somehow pull off both at once
that will be best.

Cheers,
Solderpunk

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list