Zach DeCook: 1
TOFU: Create file if it didn't exist
1 files changed, 2 insertions(+), 0 deletions(-)
I think actually the TOFU code in this project is bad.
It sends two requests to the server, of which, only the first has the certificate checked (a MITM could let the first request pass, then intercept the second-- which is the one which actually carries the data).
Also, I believe the first request (made by ssl.getCertificate) is not a valid gemini request. Most servers allow it to work, but notably gmnisrv doesn't. I think that behavior is described by https://lists.sr.ht/~sircmpwn/gmni-discuss/%3C053b05cef8f6918e1d5caa47d44dc70b8311f91d.camel%40mycanofbeans.com%3E#%3CC7CNVUUNIV1G.2Q9ITTBUGVV68@taiga%3E