Does TOFU actually work?

[Emilis]

Hi,

I wanted to set up my own Gemini server today. I think I got 
MITM-attacked by China.

This highlights the question I wanted to ask for some time: can't TOFU 
be easily MITM-ed by state actors?

Is it actually any better than CA certificates or does it only replace 
trust in CAs with trust in all ISPs and hardware in between the server 
and the client?

How would TOFU work for someone out of a country that firewalls the 
internet and can replace all self-signed certificates for port 1965 on 
the fly?

If TOFU fails in this scenario (which is common for hundreds of millions 
of people today) can we really say that Gemini protects privacy?


Details:

I am in Vilnius, Lithuania. My IP is in this range:

```
inetnum:        78.59.128.0 - 78.59.255.255
netname:        Telia-Lietuva
descr:          Telia Lietuva, AB
country:        LT
```

I got a VPS with Debian 9 in the same city. It's current hostname is 
naujenai.lt and IP is in this range:

```
inetnum:        94.176.232.0 - 94.176.239.255
netname:        LT-LITHUANIA-20080814
country:        LT
```

I downloaded, compiled and installed https://git.sr.ht/~sircmpwn/gmnisrv 
on the VPS.

Commit:

```
gmnisrv$ git log
commit cb2c84b0ad9aadd4c92d8ef978c2bfca578cd3c4
Author: Mark Dain <mark at markdain.net>
Date:   Sat Nov 21 13:56:37 2020 +0000
```

I use a locally built https://github.com/skyjake/lagrange to browse 
gemini://

Commit:

```
commit ca89eeab5c89107f675bd4d8de97ede364d8d902 (HEAD -> release, tag: 
v0.10.0, origin/release)
Merge: 6e1e7d0 b9f7a12
Author: Jaakko Keränen <jaakko.keranen at iki.fi>
Date:   Sat Nov 21 22:25:57 2020 +0200
```

I opened my new server URL in Lagrange. Then tried a non-existing URL (I 
was trying to configure URL rewriting for gmnisrv).

I got this in my gmnisrv console:

```
$ gmnisrv
[gmnisrv] generating certificate for naujenai.lt
[gmnisrv] generating certificate for localhost
[gmnisrv] listening on [::]:1965
[gmnisrv] listening on 0.0.0.0:1965
[gmnisrv] gmnisrv started
36.130.78.59 naujenai.lt /  57ms    39 20 text/gemini
154.170.78.59 naujenai.lt /test.gmi  67ms     0 51 Not found
^C[gmnisrv] gmnisrv terminating
```

```
$ gmnisrv
[gmnisrv] loaded certificate for naujenai.lt
[gmnisrv] loaded certificate for localhost
[gmnisrv] listening on [::]:1965
[gmnisrv] listening on 0.0.0.0:1965
[gmnisrv] gmnisrv started
39.92.78.59 naujenai.lt /  58ms    39 20 text/gemini
143.238.78.59 naujenai.lt /asdf.gmi  66ms     0 51 Not found
```

Whois queries for the IPs in the gmnisrv log:

```
$ whois 36.130.78.59
...
inetnum:        36.128.0.0 - 36.191.255.255
netname:        CMNET
descr:          China Mobile Communications Corporation
descr:          Mobile Communications Network Operator in China
descr:          Internet Service Provider in China
country:        CN
```

```
$ whois 39.92.78.59
...
inetnum:        39.64.0.0 - 39.95.255.255
netname:        UNICOM-SD
descr:          China Unicom Shandong province network
descr:          China Unicom
country:        CN
```

```
$ whois 143.238.78.59
...
NetRange:       143.238.0.0 - 143.238.255.255
CIDR:           143.238.0.0/16
NetName:        APNIC-ERX-143-238-0-0
NetHandle:      NET-143-238-0-0-1
Parent:         NET143 (NET-143-0-0-0-0)
NetType:        Early Registrations, Transferred to APNIC
OriginAS:
Organization:   Asia Pacific Network Information Centre (APNIC)
...
Country:        AU
```

```
$ whois 154.170.78.59
...
inetnum:        154.160.0.0 - 154.175.255.255
netname:        GH-SPACEFON
descr:          Scancom Ltd.
country:        GH
```

Note that IP addresses change between requests from the same browser to 
the same server.


I suspect my Huawei 4G router. I bought it locally a few years ago when 
very few options were available. I was planning to replace it for some time.


--
Emilis Dambauskas
gemini://tilde.team/~emilis/