## Gopher and TLS "Encryption is easy, do it!" Ivan J. ## Gopher and TLS Table of contents * Why * Current status * Future plans ## Why TLS? * Gopher is a cleartext protocol * I'd like some encryption * Tor is often slow and sometimes difficult to set up * Requires a local Tor daemon and LD_PRELOAD hacks * No need for a protocol change or a new RFC * Transparent to users ## Implementations * Server-side: * sslh -> tlstun -> geomyidae * Client-side: * clic * gnutls-cli ## Server-side concept 1. Serve a gopherhole with a daemon (geomyidae) 2. Add TLS on top of it (tlstun) 3. Differ clear and encrypted traffic and manage it (sslh) ## 1. Gopher daemon * Install Geomyidae and serve your gopherhole on some port that is not port 70 ## 2. TLS tunnel * Install tlstun and setup a TLS certificate * Run tlstun to proxy TLS traffic from some port to your gopher daemon's port ## 3. Multiplexing * Install sslh and configure it to work with your gopherhole * geomyidae on port 71 * tlstun on port 7771 * sslh on port 70 Example sslh.cfg: protocols: ( { name: "regex"; host: "127.0.0.1"; port: "71"; regex_patterns: [ "^\r\n$", "^\n$", "^.\n$" ]; }, { name: "tls"; host: "127.0.0.1"; port: "7771"; }, { name: "anyprot"; host: "127.0.0.1"; port: "71"; }, { name: "timeout"; host: "127.0.0.1"; port: "71"; } ); on-timeout: "timeout"; ## Client-side concept 1. Connect to gopherhole 2. Ask for TLS 3. Connect with TLS if possible, otherwise go plain ## Client-side practice * Connect with GnuTLS $ printf '\r\n' | gnutls-cli parazyd.org:78 * Connect with netcat $ printf '\r\n' | nc parazyd.org 78 * Both work! * solene has also added TLS support in clic! ## Future plans * Add TLS support to other Gopher clients * Teach Gopher users about the concept and adopt it ## Resources * https://github.com/yrutschle/sslh * git://parazyd.org/tlstun ## Thank you! * Questions?