57b731e9@nerdpol.ch
A6BDBF57_57B731E9

Latest Version 2022-07-05

Minus Protocol Specification

The Name of the Minus Protocol

The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.

Minus Transactions

Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the specified file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection

The client may close the TCP connection before the entire file is received. The server must tolerate this.

The specifier is one line of text which can contain only the characters inside the following quotation marks.

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."

The specifier may be just /, but, otherwise, it should not end with /. The specifier should also not contain //, .., ./, or /..

If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.

The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.

There must be no other communication between the server and client. Notice that no information about the client is sent to the server.

Avoiding Information Exfiltration

Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.

This could happen if all the files served are kept in one directory, and the specifier is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.

A better design uses an index that contains an entry for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.

Transport Security

Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.

If TLS is used, the scheme in the URL should be minuss:// instead of minus://.

Minus URL Format

Here is an example of a Minus URL.

minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus

(There is not a server at this domain. This is just an example.)

This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.

Minus URLs must be the only thing on the line they appear in.

Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.

If TLS is used, the scheme in the URL should be minuss:// instead of minus://.

The .minus File Type

Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.

Lines in .minus files should end with \n and not \r\n.

Minus URLs must be the only thing on the line they appear in.

The client should recognize Minus URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /. Clients should check that the downloaded file is not actually an error message sent by the server instead of the specified file.

Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.

Display of Text in .minus Files

How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.

For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.

It is also acceptable for the client not to display marked text or markings differently from the rest of the text.

Minus Compared to Gopher, Gemini, and HTTP

Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.

This simplicity is essential if the Internet is to, once again, become human-friendly.

HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.

Because complexity is the enemy of security, this software is also insecure.

Perhaps the worst problem with HTTPS 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information onto the client machine that is not explicitly requested by the user.

When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.

#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol

There are no comments yet.