I haven't seen that @solderpunk proposes a new protocol which is a kind of simplified one (no TLS stuff, mandatory UTF-8, only 2 types of lines text or link, less return code...)


@adele I'd have been happy with just removing the mandatory TLS and adding an insecure response code so clients can show a warning or something, I've been begging for that here and there for a while as TLS prevents a lot of old devices from using Gemini. This sounds fantastic too though.

@oppen @adele Looks like that post was a year ago and nothing really came of it. Though somebody did make a different protocol that I think sounded similar. Titan protocol I think?

@oppen @adele What devices are too old for TLS and also don't need some kind of adapter between them and the internet anyway?

@easrng any pre-Gingerbread Android devices, they're bricks as far as Gemini is concerned. Also, all of today's devices will suffer the same fate in ten+ years once the current cipher suites become compromised, TLS is a moving target

@oppen With the OS APIs sure, but aren't they are powerful enough to run a modern TLS library?

@easrng Gingerbread support _is_ with a back-ported lib: Conscrypt. Without that there'd be an incredible amount of unsupported devices.

@oppen And it would be impractical to backport further?

@easrng Yes, I think so, otherwise the Google Conscrypt team would have done it I think. There's a couple of other Java libs that may be an option but I doubt it, those older devices need the libs to use the same old Java version that they support. Newer devices have the option to get updated TLS suites from Google Play Services, but that only works with new supported devices (& won't work on Lineage etc). Again, today's devices will face this same problem in 10/15 years whatever.

@easrng I have been meaning to find out why Conscrypt only supports as far back as Gingerbread. Two reasons are likely: older OS versions use older Java versions that have some inherent insecurity, or: older OS version are missing something in the JNI that makes back-porting further and securely impossible.

@adele @oppen @kelbot

Many people have misunderstood this as a proposal or recommendation. I was there at the time, and Solderpunk was just theorizing what could be stripped away from Gemini while still keeping it usable. As far as I know, this is not something he endorses, and I believe he has sent emails to that effect.

I believe his largest issue with it is lack of TLS, and it's mine as well. Privacy is important, but even beyond that, remember that TLS ensures integrity and provides authentication as well.

@makeworld @adele @oppen @kelbot
But it's not needed when some other protocol layer already provides those features. Eg. if you connect through Yggdrasil then everything is already authenticated and encrypted.

@csepp @adele @oppen @kelbot true, but that tends to be a rarer use case. I wish it wasn't, but I understand why you can't rely on it for protocol design.

Sign in to participate in the conversation

Instance de Mastodon, réseau social de micro-blogging libre et décentralisé hébregée par l'association