Why gopher needs crypto ----------------------- A little while back I wrote some speculative stuff[1] about a hypothetical protocol which was more than gopher but less than the web (it really wasn't about gopher itself, and because of that this post is actually perhaps poorly titled, but oh well). There have been some responses to this, both in gopherspace[2,3] and on Mastodon, and I've done a poor job of engaging with the wider discussion that I triggered. This may continue, as my own thoughts and feelings on the matter continue to be in a state of flux. But there is one component of that hypothetical new protocol which I *am* certain of, and it's a component that some people have expressed confusion as to the need for, so I'm going to write a little bit about that. I'm talking about the fact that my hypothetical new protocol operated strictly over TLS connections - plaintext straight up wasn't an option. I am of the opinion that the widespread lack of encryption in gopherspace today is the protocol's biggest shortcoming, and I actually suspect that this point alone discourages some folks who would otherwise be on board from adopting it. But others, including Bongusta overlord Logout, do not see the need, so here's my attempt at a justification. I have to admit that I'm a little baffled that this needs to be explained in 2019. The web has seen a significant shift to using HTTPS for anything and everything in the past few years, instead of only for login pages or internet banking, and just about every argument used to justify that applies also to gopher. Claiming that gopher doesn't need it because there's "nothing important on gopher" is a self-fulfilling prophecy. Nobody will put anything important on gopher *until* it stops lacking basic protections which we expect elsewhere. Even if all content on gopher is fundamentally public content whose authors *want* it to be read by anybody, it remains true that: * Your ISP can see *and* modify all gopher traffic. ISPs have inserted ther own advertisments into websites in the past, and it's naive to think they won't do it again wherever they are not prevented by either legal or technical measures. The probability of getting effective legal protection in place everywhere on Earth is zero, so basically we need to make this technically impossible. Also, in the US and presumably other places it is legal for ISPs to collect your browsing history, analyse it and sell the results. US ISPs would not have wasted time and money lobbying for those laws without concrete plans to exploit them, so assume that this is happening, today. * Keyword-based censorship schemes such as those used in China and elsewhere will be effective against gopher content - TCP connections can be automatically dropped as soon as forbidden phrases are passed along them, which makes gopher useless for political activism in some important real-world theatres. * Gopher cannot be safely used to distribute PGP keys because those keys can be modified in transit by some of the same adversaries who could read the intended PGP encrypted mail if it weren't encrypted, defeating the purpose. * Software distributed via gopher (e.g. Zaibatsu-ware[4]) can be modified in transit to insert security vulnerabilities. These are all real problems affecting gopher today which make it unsuitable for several use cases, like political activism or software distribution, which I think it would be nice if it *were* suitable for. As long as these problems are unsolved, gopher can't ever be more than a toy in today's ultra-hostile internet. All of these problems are solved, or at least heavily ameliorated, on the web via the ubiquitous use of HTTPS. Of course, the web comes with its own boatload of problems, like Referer headers and cookies and Javascript and more, which make *it* unsuitable for a bunch of uses too. Note that all *those* problems are solved in gopher, by virtue of its simplicity. We only need to add ubiquitous encryption to gopher to end up with the best of both worlds! Now, let me be clear exactly what I mean by "adding encryption to gopher". I don't want to advocate anybody serving anything on port 70 which isn't backward compatible with standard gopher, because that would be a tragedy for the gopher community. And I also don't want plaintext gopher to disappear entirely, because it's great that something like gopher exists which can be utilised on 40 year old machines which are too slow to do effective crypto. What I would like is to see something new which is basically "gopher plus crypto, maybe a little more" appear alongside the existing options. Something which could be thought of as a "souped up gopher" or as a "stripped down web", depending on your perspective. Something which meant people weren't forced to choose between two non-overlapping sets of massive and obvious shortcomings but could just USE the internet for sharing static content in a non-awful way - whether that static content is "just" phlog posts, ASCII art or old zines, or whether it's serious political dissent, cypherpunk activism, sexually explicit writing or non-trivial free software development. The web is surely a dumpster fire, but let's not pretend gopher is perfect and cannot be improved. Those of us fleeing the web have just fallen back here because it's about the only off-the-shelf vaguely web-like thing that there is to fall back to. Some of us may be truly comfy here, and that's absolutely fine. Increasingly I think I'd like to use gopher as a temporary base of operations to build something even better. [1] gopher://zaibatsu.circumlunar.space:70/0/~solderpunk/phlog/pondering-whats-inbetween-gophe r-and-the-web.txt [2] gopher://circumlunar.space:70/0/~sloum/phlog/20190309-22.txtgopher://circumlunar.space:70/0/~sloum/phlog/20190309-22.txt [3] gopher://republic.circumlunar.space:70/0/~uwu/thoughts/20190329-markup-market.txt [4] gopher://zaibatsu.circumlunar.space:70/1/software