Follow

Chromium, aka Google, just keeps proposing new standards to make the web less private and secure for users. We need to find a way to stop this.

Allow JavaScript to make direct TCP and UDP connections? Sure!
theregister.com/2020/08/22/chr

Packaging up an entire website into a file so individual ads can't be blocked? Also sure!
brave.com/webbundles-harmful-t

Really shows the problem of their monopoly, as well the effect of corporate interests on a common space.

Show thread

@makeworld Chromium is already the OS for the web. Mozilla has now basically become a brand company, emptying even MDN after years of being on Google's payroll directly. We should be using our remaining time on clearnet to find other solutions.

@am @makeworld Best initiative I know of this far is gitlab.com/spritely/spritely/- by @cwebber . That said, nobody is actively forcing us to make web pages which don't work in Lynx. The low-tech web will last many years still, although initiative after initiative will choke the air supply over time. E.g. TLS, which is great in itself, makes just firing up a webserver and “forgetting” it a lot harder, as you have to hook into the centralized PKI infrastructure.

@Steinar @am @cwebber Gemini is an example of a low tech web alternative that uses TLS, but not centralized PKI.

gemini.circumlunar.space/

@makeworld @am @cwebber Which again makes the conscious choice of significantly lowering security, since TLS was designed for using PKI in the first place, which can be a very serious problem if Gemini garners enough attention.

@Steinar @am @cwebber have you looked into how the Gemini TOFU system works? It's not perfect, but there is still security.

@makeworld @am @cwebber Yes, I have looked at it. I didn't claim it was without security, but I stand pretty vehemently by my claim it lowers security. And the entire idea of having certificates being long lived is the inverse of what we do with certificates everywhere else. But, if a Gemini certificate is short-lived, the site increases its vulnerability, etc, etc. I don't disagree you get some security, but I find the pattern problematic.

@Steinar @makeworld @cwebber The best initiative you know of is this design document for some virtual game world?

@Steinar @makeworld @cwebber I actively full-time work to make this happen at urbit.org but I'm interested in whatever combination of a million possible solutions develop.

@am @makeworld @cwebber Thanks, very interesting, I have never heard about it before.

@am
Thanks for publishing the link. I'd noticed the project in conversations, but the URL wasn't in your profile and didn't come up in a tag search from my home instance

From a first glance, the idea most immediately relevant for you would be pet names. At the moment, Urbit has a 3 part identifier including a username part that most people would focus on and a random thing that distinguishes people with the same user name. So how does a person reliably tell the difference between Alice (some string beginning with 'F2DE') and Alice ('F2D3' something)? Pet names is a UX layer where someone can create local aliases for globally unique identifiers so that it's instantly detectable when there's an attempt to impersonate someone on their contact list

Also games... They're a great way to introduce people to novel ideas or a large domain specific vocabulary, and you get real world pen testing with a sophistication approaching state actors for no extra charge :awesome:

@Steinar @makeworld @cwebber

@yaaps wait what

Urbit @ps are user-memorable syllabic names indicating a position in a big tree for peer discovery. I'm ~haddef-sigwen.

@am
Sorry, I had only a quick read through and misinterpreted your choices on Zooko's triangle. That kind of name space could still benefit from pet names, but it wouldn't be the same degree of benefit as if the naming scheme wasn't user readable

@yaaps @am Looks like the namecoin approach. Which I think really isn't much better than DNS, at least in terms of how susceptible it is to phishing.

ICANN is only one of many problems with the DNS direction. Putting DNS on a blockchain doesn't solve the other problems, IMO.

@am @makeworld @cwebber Yes. It is. He is doing some seriously interesting work and heavy lifting in this project.

@am @Steinar @makeworld That design document is actually in progress, or rather much tooling for it is. The most interesting of which is probably Goblins: docs.racket-lang.org/goblins/i

Though there are other pieces, such as the storage pieces (which have spun out into the Datashards project)

I guess not unrelated... I just published dustycloud.org/blog/if-you-can

Design docs aren't interesting. Live playable demos are interesting. Expect more in the next few months.

@makeworld And Mozilla wants out of the standards business so they can focus on making a profit.

@makeworld Direct TCP and UDP connections would be quite nice for AddOns, because that would enable the implementation of other protocols like Gemini, Gopher or even Dat and IPFS

@waweic maybe, but even then I'm wary. However this is about any website code being able to do that, which I'm against, even with a permissions based model.

@makeworld @waweic I agree with @makeworld here, it's tools for closing down the ecosystem even more. And that's before looking into the security aspects.

@Steinar @makeworld I think it's rather a result from a an already closed down ecosystem

@Steinar @makeworld As much as capitalism, the resulting cluttered ecosystem and in turn resulting network effects are a vicious cycle, yes

@makeworld
For now I would argue returning to older standards for the web. Maybe pipe them through new crypto. Stripping away js and make css client side like how it started. #ipfs is opaque and #hypercore / #datprotocall has a nice ux but the sole client requires chromium.

@SwindlerOfInsanity Gemini sort of does this, and it's a great protocol and ecosystem. Definitely simplifies.

@makeworld
If an entire site were to be bundled in one large file, how could custom ads be sent to each individual client?

@taziotoninzo I'm not sure about custom ads, but my understanding is that now you can't block ads until after they've already been downloaded, or potentially not at all now because they don't have unique URLs.

@taziotoninzo @makeworld Indeed, this is one of the reasons why I don't buy the Brave article.

A good discussion of Web packaging is also in RFC 8752.

@makeworld the hypocrisy Brave has by criticizing Google and Chrome and then turning around and using Chromium as their browser engine

感觉 wbn 还挺好的, 可以用签名验证 wbn 的有效性来访问现有网站的资源, 在离线网络下可以直接根据签名新建一个命名空间, 网站的 wbn 签名通过就可以直接使用离线时创建好的空间
至于隐私保护程序, 还是可以根据 url 工作的, 这点感觉没有什么大问题
raw sockets 我倒是第一眼就觉得能用来 DDOS

@makeworld I'm surprised it took this long for someone to reimplement Opera Mini %)

...for completely different reasons

@makeworld
Remember when JS couldn't connect to domains that weren't it's own?

@makeworld It is more complicated than that, and Brave is not perfect either. Bundles are a very good idea (although of course the devil is in the details) and one of the arguments ("Origin Confusion") seems quite wrong: because resources are signed, bundles REENABLE origin authentication, which was threatened by CDNs.

Sign in to participate in the conversation
Sunbeam City 🌻

Sunbeam City is a Libertarian Socialist solarpunk instance. It is ran democratically by a cooperative of like-minded individuals.