CSRF in Gemini

Francesco Gazzetta fgaz at fgaz.me
Tue Jun 16 10:40:11 BST 2020

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Jun 2020 21:28:08 -0400
Sean Conner <sean at conman.org> wrote:

> Authentication is done via
> certificates.

But unless confirmation is required for _every_ request with a
certificate (is it? I'll have to re-read the spec) then the problem
persists, since the request is done by the victim.

> About the only valid issue is the SPAM issue you
> brought up, but I think it *is* possible to detect since the server
> will have the IP address of the sender---repeated requests could be
> blocked by blocking the IP address.

It's not detectable without nonces, because the spammer doesn't have to
do any request, only the victims (with presumably different IPs)

>   Another issue with the nonce (other than how to send it back) is
> that a malicious bot can just make a request that returns the nonce
> and use it, like like a Gemini client with a human driver will do.

Yes, but like in the web we can act on that first request an check for
client cert (which the attacker won't have) and IP (which will always
be the attacker's one)

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list