[TECH] proxies and TOFU (was Re: The problem with unusual ports)

Johann Galle johann at qwertqwefsday.eu
Fri Dec 25 15:06:11 GMT 2020

Previous message (by thread): The problem with unusual ports
Next message (by thread): [Tech] [Spec] TOFU or not TOFU?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-12-24T03:45Z, colecmac at protonmail.com wrote:
>>> Someone has written one. :)
>>> gmitohtml is a Gemini proxy server.
>>> https://gitlab.com/tslocum/gmitohtml
>>
>> Forgive me if I misunderstand, but I believe the idea is to run the Gemini
>> protocol and serve gemini content, but just be able to do it on a port other
>> than 1965 (In this case, proxying gemini over the https port).
>
> To clarify, I'm talking about Gemini server that accepts request URLs with
> other hosts. Like the server runs at example.com, and will accept requests for
> example.com, gus.guru, makeworld.gq, etc. And it will make the request on your
> behalf.
>
> And then that server could run on any port, port 443 for example. This would
> be a way to get around blocking.
>
> makeworld

This topic has now been mentioned in another thread, but TOFU makes a "nice"[1]
proxy difficult:

The TLS certificate has to be sent before any content from the client is
transmitted (* remember this). This means that the proxy sends its own
certificate. Depending on how lax the client is on checking the certificates
contents, it cannot work differently.
Only after verifying the certificate is the requested URL transmitted.

Now the problem arises: How should the proxy handle the endpoint's certificate
under TOFU?

Idealy the certificate would just be forwarded by the proxy, but this is not
possible because of (*).
The proxy could do its own TOFU and allow its users to update the cert store,
but on a public proxy this could be exploited by an attacker.
The proxy could have its own "user sessions" but at that point the
implementation of the proxy would be considerably inflated IMHO.
It would probably be much cleaner to use a VPN or an SSH tunnel at that point
(and probably a zillion other ways).

[1] Whatever would be considered nice is a different point, i.e. what
     Stephane Bortzmeyer wrote on 2020-12-24T13:06Z:
     > Do note that this requires trust in the proxy [...]

Johann
---
You can verify the digital signature on this email with the public key
available through web key discovery. Try e.g. `gpg --locate-keys`...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201225/ef270839/attachment.sig>

Previous message (by thread): The problem with unusual ports
Next message (by thread): [Tech] [Spec] TOFU or not TOFU?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list