27-04-2021

Gemini uses TLS and it is common practice for Gemini clients to use self-signed certificates and TOFU.
No dependency on centralized CAs.

TOFU seems to work pretty well for SSH.
AFAIK not many people actively verify host fingerprints on first use.
It doesn't protect against MITM attacks on the first connection,
but I wonder if that's not a case of better being the enemy of good to some extent?

Короче, ничто не мешает третьим лицам совершить MITM атаку при первом соединения пользователя с gemini-сервером.

Proxied content from gemini://sdf.org/xyz/gemini/txt/gemini_TOFU.gmi (external content)

Gemini request details:

Original URL
gemini://sdf.org/xyz/gemini/txt/gemini_TOFU.gmi
Status code
Success
Meta
text/gemini
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.