Re: gopher+ questions
On Sun, Jul 23 2023, Roman Pavlov wrote:
>> Besides the bare minimum to handle gopher+ protocol requests, is
>> anyone filling in their +ABSTRACT attributes or presenting +ASK forms,
>> or doing anything interesting with the protocol?
>
> I used to have a demo server with UMN gopherd and all the ASK forms and gateways
> that come with it as samples at www.polarhome.com free shell provider, it's now
> down as the service itself is no longer active. I hope to run a full-featured
> gopher+ server again though. (I think that the security concerns of UMN gopherd
> are exaggerated. Mozilla/Chrome release new versions with fixes of "critical
> security flaws" almost every week, so we can expect that similar flaws do exist
> in the latest version too, this does not prevent users from using this
> software.)
I want to just jump in here...
UMN gopherd was written in a different era, before people were broadly
aware of the problems with buffer overflows in C. I think it is safe to
say that the codebase is likely riddled with such bugs. And nobody is
patching them.
Indeed Firefox and Chromium have had security bugs, but a difference is
that they are being patched and therefore, we hope, don't exist known to
the public for very long.
UMN gopherd bugs have been unpatched for 20+ years because nobody is
maintaining it anymore.
If you run it, you are relying solely on its obscurity for your
security.
I want to note that this is not a slam at all on the UMN gopherd
authors. The code is absolutely typical of code from that time. Apache
and sendmail spent some years being riddled with security advisories and
fixes as they worked to purge such things from their codebases. UMN
gopherd had fallen out of favor by the time these efforts and awareness
spread, and thus never had the same sort of cleanup.
- John
Reply to: