PERCEIVED RELATIONS BETWEEN GOPHER GEMINI AND HTTP The triplets from other mothers. This piece is written with the expectation that it will attract: * Those who are Gopher and Gemini enthusiasts, * Those who are the above and have the opinion I'm wrong, * Or those who have heard the two and want to know a bit more about them and their relation to the current web. If you haven't heard about either, you can quickly inform yourself by visiting these two links: Gemini: https://gemini.circumlunar.space/docs/faq.html Gopher: https://mncomputinghistory.com/gopher-protocol/ Now let's add some context: 1. I am not a Gemini or Gopher enthusiast. 2. I am not a HTTP enthusiast. 4. I deal with the pain that is everything web (I'm a full stack). I present my perceptions of Gemini and Gopher, and how they seem to be all somewhat overlapping, and then give my two cents for people to fight over. ☺ The piece is structured so the focus is Gemini (as it's the subject of the day) compared to HTTP and Gopher. It's not necessary to read sections which don't align with your interests. S 1. GEMINI THE MOVEMENT ___ ___ .d9969b d6966b. d66b'e( )a`d99b `d9p _/ \_ q6b' hjw / ( ) \ https://gemini.circumlunar.space/docs/faq.html This website is declared to be the HQ of the "movement". I say movement because that's what it feels like to me when people talk about it. I want to heavily emphasize that this is my *perception*. I've asked others and it appears this perception is accurate. The FAQ gives a taste of this sentiment: * "the web, stripped right back to its essence" * "modern web is a privacy disaster" * "leads to a [...] near-monopoly [of] browsers" * "[they] dictate the direction in which the web evolves" * "[...] be confident that they won't try to track you" * "so you know you can trust it." * "It's a very different, much more liberating and much more empowering experience" Among the various other expressions I see people write on the web. I have a problem with this because it turns a technical idea into a manifesto, attaching a political tone to what's just a hobbyist protocol at the end of the day. It's off-putting to those who want to explore a technology, and I believe this is what hurts Gemini the most, other than the fact it's currently niche. As technologists, and humans, it's important to consider our moral obligations. So if the expressions above are not politically focused, but morally focused, what about the statements where the technology is actually accessible by the public, the non-tech savvy? How can I trust a Gemini link won't serve me some malicious binary, or an HTML page (requiring a web browser once again), or the, Gemini server won't track my IP? The answer is you can't guarantee any of these. The following section will explore this further. Interestingly, in section 1.4 of the FAQ, "Do you really think you can replace the web?", is answered with a reasonable "no". So while many enthusiasts of Gem- ini push the envelope to stop using HTTP, Gemini itself is indifferent. I think signalling this indifference is really important to its success in a social realm. I would say this puts it on-par with the "Gopherspace", where enthusiasts offer Gopher as a courtesy. How come this sentiment isn't more strongly emphasized among the Geminists? S 2. GEMINI THE SPECIFICATION ░█▀▀░█▀▀░█▄█░▀█▀░█▀█░▀█▀░░░░░░░█░░░█ ░█░█░█▀▀░█░█░░█░░█░█░░█░░░▀░░▄▀░░▄▀░ ░▀▀▀░▀▀▀░▀░▀░▀▀▀░▀░▀░▀▀▀░░▀░░▀░░░▀░░ https://gemini.circumlunar.space/docs/specification.html On the technical side, Gemini is presented as a do-it-yourself, high power-to-w eight ratio, privacy conscious, simple protocol. After personally reviewing the protocol, my professional opinion is yes, it is, minus the fact you need TLS (secure connection). The FAQ also acknowledges Gemini isn't perfect: 2.6 Does Gemini have any shortcomings of it's own? Naturally! Gemini has no support for caching, compression, or resumption of interrupted downloads. More shortcomings can be found though. S 2.1. SHORTCOMINGS S 2.1.1. INSTABILITY The most glaring is that the Gemini specification itself is not stable. It addresses this instability, only to contradict itself mid-sentence later: You can write code to this pseudo-specification and be confident that it probably won't become totally non-functional due to massive changes next week, but you are still urged to keep an eye on ongoing development of the protocol and make changes as required. If there is confidence about non-breaking changes, why do I need to keep an eye on development and still make changes?...!? Gopher and HTTP does not have this issue. S 2.1.2. USER TRACKING All URI schemes inherently allow user tracking. For Gemini to claim this is just not correct. The claim is at https://gemini.circumlunar.space/docs/faq.html, S 2.4, P 1: In fact, Gemini requests contain nothing other than the URL of the resource being requested. This goes a very long way to preventing user tracking. Here is a proof: 1. Request gemini://blog.example.com/ 2. Receive the following: => gemini://blog.example.com/article1?identifier=84811757129 My first blog post! => gemini://blog.example.com/article2?identifier=84811757129 My second blog post! => gemini://blog.example.com/article3?identifier=84811757129 I have opinions! => gemini://google.com/results?identifier=84811757129 Say hi to Google for me! 3. The user bookmarks any of the preceeding Gemini URLs. 4. The user is being tracked each time they visit the URL, and can be across Gemini domains. Of course HTTP has this issue and Gopher can be abused in similar ways. S 2.1.3. A FOOTGUN To unsuspecting or unfamiliar users, Gemini can be used to deliver malicious software. Here is a proof: 1. Request gemini://blog.famous-internet-guy.ht/ 2. Receive the following: 20 application/octet-stream <... binary content ...> 3. The behavior is undefined - it could execute the malware, it could save it to disk, it could display garbage. Web browsers used to have this issue, but as we know today, there are many warnings and messages before an application can even begin downloading. Gopher appears to have the same potential issue. S 2.1.4 SOLUTION TO THE ISSUES Obvious solutions that come to me when I think of the problems above: 1. Finalize the specification. 2. Give warnings to users when it appears a website may try to track them. This logic should be scriptable since it's a cat-mouse game. 3. Standardize how Gemini clients should work to avoid undefined behavior like when downloading applications. S 3. HTTP ⊇ GEMINI ⊇ GOPHER _____ / \ , / /'''''\/ _ <>< ,'`./ / @ _ \/ | ` `.,'\ > <_) | \ \ /\_| \...../\ \\____/ (Art by Max Strandberg) After taking a good look at Gemini and Gopher a few months ago, to finally inform myself what all the talk was about, I was left with feeling that all this is just a pointless, feel-good, righteous endeavor. Let's start from the bottom up. Gopher is essentially a directory listing, and nothing more. It's used to find content, which is especially made apparent by how it does "search requests" (which I found to be super cool). Gemini is essentially Gopher, minus the cool search request feature, with yet *another* Markdown variant nailed onto the side of it, and a grating of HTTP flakes on top. Finally HTTP is the most flexible of the bunch: it can be made to do all the above and more. Obviously it's the heaviest. The argument which is then made (and acknowledged by the FAQ) is: *why not just use a subset of HTTP?* It seems the answer boils down to enforcement. I don't see why this is a problem though, because people need to force themselves to use Gemini clients. There would be less friction if browsers had a "subset" enforcement option, which tak- es advantage of the fact HTTP / HTML is everywhere. On day one there would be thousandfold more users of the "HTTP subset" than the entire Gemini user-base. The system I host this blog on uses a subset of HTTP / HTML so simple that it basically mimics exactly what Gopher does: the main page is a directory listing done with RSS / Atom, and each entry is something to download. I've opted to st- ick to plain text for most of my content, but if I wanted to, I could serve svgs or pdfs or anything. This means the entire system just boils down to HTTP GET, some basic XML, and nothing else. It's as simple as Gemini without being Gemini, and structured as Gopher without being Gopher. S 4. CONCLUSION As soon as some entity decides to release some HTTP subset enforcement mechanism (browser extension, browser update, whatever), Gemini has no reason to exist. I think Gemini is the mind child of someone who just had some time on their hands to create a "what-if" scenario, and you know what, I'm glad they did create it. It has led to conversations like this, and hopefully leads to the HTTP subset enforcment a lot of us technologists desire! So thank you Gemini for that. -- Len Thanks to kline\0 for reviewing the draft of this piece.