proxy70

THE BEST THING ABOUT GOPHER IS THAT IT'S UNENCRYPTED

Time for something controversial. Actually most of my entries are 
controversial, it's just that I doubt anybody reading really cares 
that much about their topics. But this one's about internet 
protocols, and an opinion on them is basically a prerequisite for 
browsing Gopher today in the first place.

Now this is basically a reaction to Gemini. I don't object to 
Gemini's existance, but I wouldn't use it. That is partly because I 
don't want any more than the Gopher protocol already provides. 
Beyond read-only sites with strictly structured content navigation 
and no embedded images, HTML/HTTP provides a wide world of forms, 
session tracking, and unsolicited multi-megabyte image downloads. 
You know it's there, you know it can be set up without using 
client-side scripting or cross-site tracking. You know of countless 
websites that _do_ work in a text-only browser. Your only problem 
is that it allowed for trends in web design that you strongly 
dislike to become commonplace.

Well one trend the web has taken that _I_ dislike is HTTPS 
redirects for read-only access. That is: requiring encryption when 
one is not submitting private information. Gemini requires 
encrypted connections for everything, so I don't like it.

You're probably not convinced. Maybe you think that I don't 
understand all of the advantages of encrypted connections. Or maybe 
you just think I'm grumpy about encryption because I can't get a 
new version of OpenSSH compiled on this PC so that I can connect 
easily to aussies.space and submit this post, and on that you're 
not that far wrong (though on that alone I'd just as well be 
complaining about the bloody configure script refusing to find the 
specified OpenSSL directory whenever there are any files in it!).

I get that someone intercepting the packets can work out which 
pages you're viewing on a site. But if you're really concerned 
about that then remember that which site you're viewing, and in 
what pattern, are often revealed by the IP adresses regardless of 
encryption anyway, unless you use a VPN/TOR (where you still have 
to trust that the service providers aren't infiltrated by some 
nation's security service). Say you're browsing with an encrypted 
Gopher protocol: your first connection is to one of the phlog 
aggregator pages, then you check through the recently updated 
phlogs that you like. Someone watching the IP addresses that you 
connect to (eg. at your ISP) would see that your first connection 
was to a server running a phlog aggregator (ammounting to the 
majority of its traffic), followed by a sequence of two connections 
to various other servers corresponding to new links in the phlog 
list. Do this enough, and they know what phlogs you folow, and 
therefore what phlog posts you read (further helped by analysing 
how long you spend reading posts - equating to time between new 
connections).

American company Cloudflare have an answer along the lines of "make 
all servers connect to users via us so that they're all using our 
IP addresses instead of one corresponding to each server". Very 
convenient for them that they then get to control access to every 
server on the internet, and also without any protection against 
security services getting their hooks into Cloudflare just like 
they might with ISPs.

So just encrypting your read-only access to a server with the aim 
of blindfolding a suspected big brother is a half-arsed measure at 
best[1]. Nothing wrong with having the option of course, but not 
worth forcing everyone to do it with HTTP to HTTPS redirects, or 
protocols only supporting encrypted connections, and thereby making 
the corresponding sacrifices.

What sacrifices? Very significant ones actually, for individuals 
respecting the promise of a light and frugle internet.

Encryption has an expiry date. As technology and cryptographic 
research progresses, old systems inevitably become insecure. To be 
of use not just for the anyway unreliable obscuration of your 
habits when downloading public content, but also for the more 
important job of protecting passwords and other private information 
sent over the internet, software must be continuously and endlessly 
upgraded.

What then if developers fail to keep upgrading this software? It 
cannot be used. If none support software fr a particular platform, 
then that platform becomes unusable. If that means you have to buy 
a new device or use software that you don't like, though luck. If 
you can't afford a new device or there isn't suitable alternative 
software, tough luck. If you want to write internet software 
yourself but can't commit the time to routinely adapt to changes in 
the encryption libraries, tough luck.

At the same time, the efficiency of encryption will always get 
worse, as more processing power is always required to encrypt data 
so that newer, more powerful, computers used to break that 
encryption can never catch up. So older computers will need to be 
upgraded just so that they are powerful enough to handle the more 
resource-intensive encryption, even when they could otherwise have 
been used yet for decades (yes decades, I'm coming to you from a 
25yo PC). Hardware-based encryption built into CPUs allows them to 
perform better with the cyphers used when they're made, but cannot 
be upgraded for systems that will be used in the future. The 
encryption-cracking possibilities of quantum computers threatens to 
cause demand for a new suite of post-quantum cryptographic 
technologies, custom hardware for which is already being developed. 
When that becomes the new standard and integraded into new 
hardware, old CPUs will be forced back to using slow software-only 
encryption and may become unusuable. If, of course, this hasn't 
already happened by progression of conventional encryption 
technology.

What I LOVE about Gopher is that I can still use the original 
University of Minnesota "Internet Gopher Information Client" to 
browse all of it[2], even though nobody has touched the code in the 
official release for over a decade. Plus I can use it without 
requiring a fast modern computer in order to take the load of 
modern encryption libraries. When I first discovered Gopher many 
years ago and wanted to see what a Gopher client was really like 
(not within Firefox's then still built-in support), I used a long 
since unmaintained closed-source gopher client on Windows XP (got 
to hand it to M$, backwards compatibility did work well sometimes). 
That would never have still worked if the protocol demanded 
encryption and therefore needed software to be updated every few 
years to keep pace.

Compare that to the web, for which a lot of more obscure 
open-source browsers have recently become unusable because they 
weren't updated to be built against OpenSSL 1.1. Furthermore, 
obscure unmaintained closed-source browsers on Windows, and also 
those for proprietary systems like old mobile phones, have been 
unusuable for many years because their encryption libraries 
couldn't be updated this far.

By removing the option of unencrypted connections for accessing 
public read-only content, server admins, and protocol designers, 
are shrinking the choice available to users over what software they 
use, and the range of hardware available to run it. They are 
putting an expiry date on both the software and the computers their 
users run it on.

I don't propose that users should be permitted to mistakenly send 
passwords, credit card details, or any other private info into over 
the internet unencrypted, or using insecure protocols. But for the 
case of public read-only access, where no such private information 
is submitted, as is the case for so much of the web that _I_ use, 
and all of Gopher (which by lack of session tracking, forms, or 
client-side scripting, pretty much precludes other applications 
anyway), encrypted connections are not essential. They are in fact 
not even widely effective when used in isolation for the benefit of 
privacy. As a choice, they are as welcome as the choice to use 
Gopher instead of the web. But as a rule, they are a gatekeeper to 
the internet forbidding entry to those who'se preferences or 
finances precluded an upgrade before the expiry date was up.

- The Free Thinker

[1] Another cause given for using encryption for read-only access 
to public info is that it prevents someone from modifying the 
content before it gets to you. This is a valid concern for users 
who may be silly enough to enter personal details into a fake page 
injected by a scammer. Though if there's no cause for the page to 
ask for such information, then a user going ahead and providing it 
would just as easily be scammed over an encrypted connection by 
sites that genuninely are run by scammers themselves. Such users' 
problems are only properly solved by improving their own education 
about internet usage. Such an attempt wouldn't be very convincing 
on Gopher anyway given its limitations and usual applications.

Also, evil overlords could subtly modify the content to secretly 
manipulate us. I don't think anyone is manipulating phlog posts in 
order to control the Gopher-reading population, so I don't care 
about this with my own usage. You make up your own mind.

[2] With the exception of some pages where people try to cheat and 
use gophermaps instead of text files so that they can have 
HTML-like in-page links. But that's just abuse of Gopher attempt at 
a structured, yet still customisable, navigation system unlike 
HTML's handing of a link shotgun to web designers with which they 
can then shoot themselves in the foot.