CSRF in Gemini

Sean Conner sean at conman.org
Tue Jun 16 02:28:08 BST 2020

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was thus said that the Great Francesco Gazzetta once stated:
> Hi all,
> 
> I just wrote down a few thoughts about cross-site request forgery in
> Gemini:
> 
> gemini://gemini.circumlunar.space/~/fgaz/posts/2020-06-15-csrf-in-gemini/

  I read the article and I don't think this is that much of an issue with
Gemini.  It lacks javascript.  It lacks cookies.  It serverely limits the
data that can be posted.  Authentication is done via certificates.  About
the only valid issue is the SPAM issue you brought up, but I think it *is*
possible to detect since the server will have the IP address of the
sender---repeated requests could be blocked by blocking the IP address.

  Another issue with the nonce (other than how to send it back) is that a
malicious bot can just make a request that returns the nonce and use it,
like like a Gemini client with a human driver will do.

  It's an issue, but less of one than on the web.

  -spc

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list