Gemini server certificate replaced
A number of people have been in touch to tell us that the certificate on our gemini server had expired.
Thanks for the feedback, but actually we were aware of this and deliberately did not update it immediately:
The way gemini checks certificates is different to a web browser. Gemini generally uses trust on first use, (TOFU), and the specification actually recommends this, (in section 4.2), as well as suggesting that self-signed certificates are at least considered equal to CA signed certificates in terms of level of trust.
When we set it up, we ignored this advice and used a ‘real’ CA certificate which expired after 90 days.
Unfortunately all of the users who had used the gemini server up to that point now had that certificate trusted, and if we change it then when those users visit the site again their browser will typically show a warning because the certificate has changed, (even if the new certificate is also a valid CA signed certificate).
So we deliberately left the expired certificate, because we wanted to see whether new users who had not visited the site before would see errors or whether their browsers would just accept the expired certificate as valid or not, I.E. we wanted to see how gemini browsers are implementing TOFU in the real world, (which, as a research organisation, is typical of the sort of thing we focus on).
But enough already... We'll change it to a self-signed one, so expect to be prompted to accept a new certificate when you next visit.
Thanks again for all the feedback we received about this! It's nice to see more people using the gemini server.
“We already knew, but thanks anyway…”