Encryption, eh?

My initial reaction to Gemini was: 'Great, but why bother with encryption?'... Nothing I've seen published here requires encryption.

After reading and thinking some more, I decided that there was a decent reason for TLS -- to verify the authenticity of the servers. But no, the TOFU approach allows anyone with a medium-long-term malicious plans can insert themselves into the ecosystem.

Furthermore, given the 'lots of little gemlogs' nature of the gemosphere, and the availability of portals that cache latest posts, it is easier to look at the portals. A rogue portal can impersonate anyone!

To quote a response to a recent Gemini-related post on `hackernews.com` (lammy):

Personally I've come to believe none of it matters and that encryption is a total waste of time, at least for the kind of stuff I would want to publish using Gemini (long-form text) where there's nothing interactive or user-specific in any request. Just the act of making a network connection gives away who you are, where you are, when you are online, and what you're reading:

https://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/

Given all this, I would not bother with TLS at all. There is really no reason for it.

P.S. A few weeks later... Well, there is one reason: it is not trivial to inject advertising junk into pages...

/gemlog/