Can someone make a secure password protected gopher hole, or is everything accessible to all?
Gopher Holes
Adam Ortiz
Other urls found in this thread:
sdf.org
khzae.net
khzae.net
twitter.com
Jordan Lee
dunno
Adrian Diaz
Is there a GoDaddy type thing for Gopher?
Owen Lee
>2018
>using plaintext protocols
DONT DO THIS GUYS
Jacob Peterson
why?
Jose Bell
sdf.org
"secure" not really with Gopher alone, but the password could be part of the selector. The server would check it before sending the content. It's passed as plaintext over the network though, hence not really secure.
You can put it on a protected network, however, like a VPN.
Robert Miller
>2018
>using plaintext protocols
DO THIS. It's time to return to Eden.
Joseph Thomas
Wait! What? How do you put a page on a VPN? I'm a bit tech illiterate
Christopher Myers
"plain text" or "plaintext"?
The former signifying content is mainly plain text (vs. HTML), the latter meaning the content is encrypted over the network.
Samuel James
What about being able to encrypt it? Can't one just encrypt the text before posting it in a hole?
Gavin Rivera
By "page" do you mean you want a single part of the otherwise public gopher to be private? That would be more difficult. Just running the server on a private network is nothing special, have you never encountered a company LAN you had to "tunnel" into with credentials to access outside work?
Robert Myers
Yea. OK. i get it
Sebastian Roberts
Sure. It's just not part of the protocol, so few if any Gopher clients will know how to decrypt it. You can always write a brand new server and client that can do this (and people have, gopher://gopher.umbrellix.net), but it's basically a new protocol at that point.
The encrypted private network (VPN) abstracts that away and let's you use any current Gopher server and client.
Luke Garcia
If you do need a "part" of your gopher to be protected, you could just run two gophers instead. One on the public network and the other on the private network. Gopher servers are obviously very light on resources so I can't really see that being much of an issue.
Camden Clark
I did not know that there was a public and private network using the gopher protocol. Obviously, I need to read up. I honestly just started using gopher as a hobby this morning. I downloaded GopherBrowser and just started milling around in the dirt, so to speak.
I am 45 years old and grew up in Cupertino Ca., but that does not necessitate computer intelligence, trust me. However, computer were always around, so it is not foreign. I remember my mom playing a game online in the mid 80s where one would type a text command and the game would respond with cryptic clues. I think it was called adventure or some shit. I found it boring and my low iq could not handle such things.
Brody Watson
No, the private network thing has nothing to do with the Gopher protocol specifically. It's below the level where protocols like Gopher or HTTP exist. You can run any kind of services on a VPN, Gopher being one of them.
There's currently no standard equivalent to say, HTTPS, where you can have a secure login, with Gopher. There's been projects to create such a thing, combining Gopher with SSL etc., but like how HTTPS != HTTP, such a thing is not quite Gopher and you need some additional software (like new Gopher clients) to make it work that way.
The best you can do purely with Gopher is , which is an equivalent to HTTP Basic Auth essentially. It's "reasonably" protected against people stumbling on to your "secret" files but susceptible to someone able to sniff your traffic because the credentials are not encrypted, same as HTTP.
Easton Thomas
Here's a weird little demo of "sessions" in Gopher. We don't have cookies so the ID is passed along in the selector (some HTTP sites actually do this instead of cookies too).
For example, the "secret" resource is a picture:
gopher://khzae.net/I/misc/session/secret.jpg
(khzae.net
You'll get an error trying to open that link, because only the user "richard" can access it.
Go to the main page first instead:
gopher://khzae.net/1/misc/session
(khzae.net
and log in by entering "richard installgentoo" (username and password) as the query to the Login "search" item. Follow the link back to the main page. Notice the session ID gets appended to the selector.
Now open the link to the picture from the main page and you'll be able to view it, because now the server can check the session ID against a list of valid ones and see you are logged in. The session is also set up to expire automatically after 2 minutes.
Now, the bad news of course is that when you log in, the "richard installgentoo" query is sent in plaintext, so someone sniffing your internet traffic would be able to see this. But that's no different from plain HTTP.
Dominic Reed
I though some clients already supported the secure login implementation
Jack Sanders
>the secure login implementation
I think there's been more than one attempt by different people, which do you mean? And I'm not really aware of one that also deals with "login", so unless they're adding something like HTTP headers to the protocol as well you'd still have to do something slightly evil like , just with less danger of your credentials being sniffed.
Camden Martinez
There is already a chan in gopher, is only matter of time someone make popular one of the SSL implementations.
Owen James
I hope so. In the meantime a VPN (if you need a "login") or hosting over one of the darknets (Tor, i2p, ...) are alternatives that can work relatively easily below the current servers/clients. And the latter also gets you anonymity, which SSL/HTTPS doesn't.