Does TOFU actually work?

[Ben Burwell]

On 2020-11-28 at 09:28 -05:00, Emilis <emilis at emilis.net> wrote:
> can't TOFU be easily MITM-ed by state actors?
>
> Is it actually any better than CA certificates or does it only replace 
> trust in CAs with trust in all ISPs and hardware in between the server 
> and the client?

TOFU could be MITM'd. It replaces the CA mechanism by the assumption
that the first time you connect to a host, you get the right key/cert,
and will ensure that any subsequent connection uses the same key pair.

So if the first connection is MITM'd, your client will accept the phony
cert but all subsequent connections will need to be MITM'd with the
same phony cert in order to keep you client quiet.

If the first connection is NOT MITM'd, then any subsequent MITM attempt
would then raise alarm bells.

> How would TOFU work for someone out of a country that firewalls the 
> internet and can replace all self-signed certificates for port 1965 on 
> the fly?
> 
> If TOFU fails in this scenario (which is common for hundreds of millions 
> of people today) can we really say that Gemini protects privacy?

You're right - it wouldn't protect the privacy of people under that
scenario (assuming the state actor is sufficiently motivated to do this
interception/replacement under TOFU constraints).

I'm not sure what a good solution to this is.

> Note that IP addresses change between requests from the same browser to 
> the same server.

Those logs do look a little funky, but luckily we don't need to rely on
IP addresses to check your hypothesis: all you need to do is match the
fingerprint/hash of the cert being presented by Lagrange with the hash
of the cert generated on your server. If they don't match, then you have
definitively been MITM'd.