web0 manifesto

“…web0 is web3 without all the corporate right-libertarian Silicon Valley bullshit.”


Sign your name and join me in starting the year as you mean to go on: without tolerating any bullshit.

Happy New Year! :)


G’morning folks, how lovely to wake up and see the new signatures on the web0 manifesto


By the way, if you are having trouble signing because your email server implements an archaic anti-spam technique called greylisting. I’m going to look into adding basic support for it but please also contact your email provider and remind them it’s 2022. Spammers have long worked around greylisting. Today, it just makes things harder for legitimate small web use cases.

· · Web · 7 · 7 · 12

Also, some folks have mentioned on the fediverse that they don’t have a web site to link to… please feel free to use the link to your fediverse account (Mastodon, etc.)

But please don’t link to people farmers like Twitter, Facebook, etc., or to sites with trackers from them.

I’m going to look through the links today and contact you to see what we can do if any look problematic.


Finally, a couple of you have reported not being able to add your site if it doesn’t load over a secure connection (TLS).

That’s by design :)

It’s 2022 and we should all be doing our best to encourage good practices. HTTP is not secure. It means people who visit your site could be hit with man-in-the-middle attacks.

Thankfully, we have a free/automated way to implement TLS now with Let’s Encrypt.

And servers like Site.js (sitejs.org) do it automatically for you.

I’ve now implemented a retry feature on the web0 manifesto if your email provider implements an archaic and ineffective anti-spam technique called greylisting (which very effectively messes with legitimate transactional emails, however) 🤷‍♂️

PS. Huge freaking typo in error title that I missed has now been fixed. Thanks to m.nintendojo.fr/@mortal/107554 for the heads up :)

@aral Only issue is that even though things like certbot make it reasonably simple to get a cert, it still feels like a very janky experience based on my experience

Of course that's not really an excuse, but I can definitely see why it'd make people not want to deal with it

Also traditional certs could definitely use a more decentralised alternative imo

@SigmaOne I don’t disagree but I also don’t see it changing unless we build a completely new tech stack. And some folks are doing that but that’s not really the web. I see the things we’re doing as building bridges towards a world where we can do such things.

Also, with Site.js (sitejs.org), at least, it’s entirely automated. You don’t have to do anything special. You just run your server and it does everything for you, zero config. So I know first hand that it’s possible :)

@aral Why can't you let people decide for themselves what they want to keep private and what public? Why force people to obey the authoritarian CA business? Why the arrogance when it comes to protecting the environment? Very disappointing imo.

@gert Dude, I’m just using TLS. I’m pretty sure there are more important things to get upset about.

@aral I keep seeing these obvious dichotomies and I just don't get it. Protesting against crypto coins but promoting and pushing TLS *everywhere* as if TLS is *not* crypto. I also sometimes see very subtle allusions made by others regarding your dichotomies that you seem to ignore, as if you are not aware of what you are doing.. Or if I had fiber at home, I would immediately and happily say goodbye to Hetzner. Etc. Maybe I'm missing something, dunno..

@gert @aral I have never seen an objection to cryptocurrency that had anything to do with the technical detail that cryptocurrencies make use of cryptography.

@clacke @aral @gert Indeed. "cryptocurrency" is not a descriptive name: practically any currency transaction is encrypted (isn't it what DES was invented for in the first place?)

@aral @gert At first glance, you're missing:

The point of being against NFTs. Spoiler: It isn't the "crypto" part in "cryptocurrency".
A basic understanding that other people may not operate on the same exact values as you and it's fine. Seeing dichotomies in people just means you don't get them.
The necessary social restraint to avoid spelling out publicly the aforementioned misunderstanding to people who aren't supposed to do anything about it.

Let me know if these were useful in any way.

@aral Apparently it was judgement day for all those recalcitrant crypto refuseniks.


How sad...

you've been fooled by #BigTech propaganda about TLS.

Who pay the bills of Let's Encrypt?
How secure is a system that enable any certification authority in the world to impersonate any HTTPS website?

#HTTP is inheritely decentralized through proxies. And you don't need TLS to have cryptographically signed contents that let clients avoid MitM attacks.

HTTPS instead force your client to connect the server even for non sensible contents that could be safely cached by middle proxies.

And that, in turn, enable servers to track people with higher precision.

So, yes, it 2022 and I don't want to enable HTTPS on websites that do not need it (no sensible components and no form or js).

And I do so exactly to spread awareness about the limits and implications of HTTPS everywhere propaganda.

@aral I am a big fan of #LetsEncrypt and use it on many systems. However, there is a legitimate opposing viewpoint: 1) it prevents self-sufficiency; 2) A small set of large orgs decide who's a legit CA for billions; 3) Let's Encrypt won't issue certs for countries the USA has sanctioned.

#NNCP author has expressed his thoughts in more detail on this: lists.cypherpunks.ru/archive/n and lists.cypherpunks.ru/archive/n and lists.cypherpunks.ru/archive/n . It led me to hosting a TLS mirror of the site

@aral Alternatives to #TLS [thread]

There are lots of alternatives to TLS out there. At the protocol layer, things such as #Yggdrasil and #ipsec can make things secure. #Yggdrasil, like @cjd 's #Hyperboria (#cjdns) before it, is an overlay network where every target IP is essentially a public key. #DNSSEC also helps here.

@aral @cjd Alternatives to #TLS 2/

Moving up a layer, TLS can be used without public CA infrastucture (eg, #Syncthing) by exchanging key validation information in other means. Also, the #Noise protocol is a viable TLS alternative in many cases.

@aral @cjd Alternatives to #TLS 3/

Multiple app-level projects exist to build a distributed Internet (or web), and most of them have E2E encryption built in. Examples: #IPFS and #DAT/#Hyperdrive as distributed filesystems/websites, #libp2p for general communication, #Scuttlebutt (gossip) for social, #Syncthing for data sync, #NNCP for asynchrnous transfer, #Meshtastic #jami and #briar for E2E IM, etc.

@jgoerzen @aral
Ideally the key exchange would be handled through DNS, but DNS doesn't work so they invented x509 which also doesn't work.

@aral @cjd Alternatives to #TLS 4/

TLS only protects data in motion. It does not protect against, eg, hacked webserver. Things such as #OpenPGP (#gpg or #sequoia) signatures still have a place and prove more about authenticity than TLS does. With signed content, in fact, TLS is much less useful (maybe preventing an attacker from showing you outdated content) which is why many Debian mirrors -- whose content is fully authenticated by apt -- have historically been non-https.

@aral @cjd Alternatives to #TLS 5/

Projects such as #FreedomBox aim to put many of the technologies I've mentioned here, and then some (eg, #BitTorrent) in the hands of people via very low cost hardware and Open Source software on it.

@aral @cjd Alternatives to #TLS end/

If you're thinking of #SmallWeb and #SmallTech and a #decentralized #Internet, think about security more broadly than TLS. TLS is useful, but the security story is more broad than that. I could go on: #Tor hidden services, #ssh, #freenet, etc., are all things that secure without TLS. Many of the things I've mentioned secure BETTER than TLS, at least on some respects.

#web0 should be broad, about all this!

@jgoerzen @cjd Indeed. I see Small Web as one approach to web0. We need many.

@aral @cjd Yes! Perhaps I understood web0 to encompass the many. I believe, by the way, that the days of an individual being able to easily run a public webserver on the likes of a Pi at numbered, or maybe already past. Internet access is common, but listing on port 443 on a stable IP with enough power to withstand the routine bad actors isn't. It may not be #IPFS exactly, but we desperately need some sort of decentralization to make this feasible.

@aral @cjd My own website - which is good enough to usually withstand a mention on Hacker News - runs on a grunty box in an OVH data center. It isn't even popular at all, but it's been decades since I could host it at home. The attacks come in at many requests per second usually. It would never survive anything "going viral". Yes people can rent server or hosting space in whatever form, but real power to the people requires more aggressive decentralization.

@aral @cjd But still, those things aren't really here yet, so incremental improvements are needed and welcome!

@aral @cjd Let me summarize this way: the effort should focus on the concept of the decentralized web (free hypertext linking across the globe, embedded media, low-ftiction publishing, etc.) rather than tying to a specific contemporary protocol that may or may not really be able to usher in that kind of reality.

@jgoerzen @cjd My only warning here would be for IPFS (it’s by a VC-backed corporation) so it’s not like the others. Big fan of hyperdrive, etc., and I actually prototyped a Syncthing-based native social app when we first started Ind.ie (Heartbeat).

@jgoerzen @aral @cjd Yggdrasil looks interesting, but they politely ask not to use a crawler on the network. That doesn't sound so good? What happens if it gets popular and you can't count on people's general good behavior to keep the network from clogging up.

In this era I would think protocol designers would assume bad intentions all around and design for that?

@teleclimber @aral @cjd #Yggdrasil is still on my list of things to try, but I wouldn't take that as an indication of network fragility - rather an indication that "hey, if 10000 of you are crawling the entire network space, you're going to really ruin the experience for Android users on 3G". Keep in mind this gives every participant a reachable IP on the network, so there's no ISP filter preventing that sort of thing like residential Internet often has.

@teleclimber @aral @cjd I guess the other thing I would say is "everyone has to start somewhere." Don't let the perfect be the enemy of the good.

@jgoerzen @aral @cjd I fully subscribe to this, however some problems are harder to fix later, and in particular when you're talking about protocols. The fundamentals have got to be right. Regarding Yggrasil, my purely personal opinion is that maybe exposing every user's IP on a global network is maybe not the best idea. My guess is it leads to the kind of burden that gives rise to centralized nodes that block the bots/crawlers/scammers/whatever. Then back to square 1.

@jgoerzen @aral @cjd right but what bugs me is that this is how re-centralization happens. A protocol can be decentralized technically, but if in popular use it is a bad experience then someone will create a beefy node as a proxy, and then you have Gmail all over again.

@teleclimber @aral @cjd Fair. And even if just in popular use it is a "new" experience. I think we're seeing that with #IPFS and the #Cloudflare proxy, right? I don't know that it's necessarily a better experience than, say, integrated go-ipfs in Brave... but it is one that doesn't require any additional local software.

@jgoerzen @aral @cjd Yeah that seems like that's the dynamic. You just have to expect that centralized services will always try to "help" (and help they do in terms of convenience usually, but they harm the network by centralizing it).

Gordon Brander (mastodon.social/@gordon, unfortunately only on Birdsite now) has been doing a lot of thinking about this: how does a network stay decentralized given the forces that naturally push towards centralization?

@teleclimber @jgoerzen @cjd This is why Small Web is single tenant. Remove economies of scale and you poison the well for corporate capture/centralisation.

@aral For signing on behalf of projects it's ok to link to the repository or something similar right?


Indeed @aral it is

without all the corporate right-libertarian Silicon Valley bullshit.

@aral I'm loving checking out the websites from the signatures. It's all what the web should be. No bloat, ads, trackers, just good meaningful content and people! (Also someone added google 🤦‍♂️ )

@aral 95% of the spam my rspamd filters is prevented by greylisting. greylisting is perfectly fine if one implements SMTP correctly, which means that there will be multiple attempts to deliver mail.
what really makes shit hard is stuff like dkim, spf, dmarc, because everyone has a different idea what is required and they make configuration of a mail server even harder.
sorry for the rant.

@mortal Haha, yes. Wow! How did I not see that. (Fixed!)

Appreciate it :)

@aral hah, I didn't see it either, one of those brain seeing what it wants to see moments I guess.

@aral Hi, we are one of those, and default to greylisting through Postscreen github.com/modoboa/modoboa-ins

Also I wanted to find the link to en.wikipedia.org/wiki/Greylist

Can you share the other, more effective spam mechanisms that you do know of?

Meanwhile opting for the manual "I'm not a robot." way in ~ 5'.

@aral Email is a store and forward protocol - and should cope with temporary errors.. That is the whole point of a 450 error! If your web app is just dumping the email and not using a SMTP compliant MTA that is really not the recipients fault!


@aral 2/n Greylisting was and still as reasonable mechanism to prevent spam as it's very cheap for the recipient.. You just say go away and come back later.. So there is no expensive spamassassin / clamav to use.

And hopefully if spammer does come back later, they will be on a RBL so can be blocked with a DNS lookup


@aral More on message though..

Greylisting became less useful because large centralised email service providers.. Like mailchimp/mailgun/sendgrid.. did NOT USE the same outgoing IP for retries,

So the Greylisting tuple of (IP, Sender, Recipient) would not match and that would cause an eventual permanent failure


@aral is there a specifiation or technical doc about it?
Otherwise I don't know what am I signing

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!