Kartik Agaram is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Kartik Agaram @akkartik

scripting.com/2018/06/12/14032

RSS and Google Reader are Dave Winer's pet peeves, and I'm sympathetic. But he's missing an even better example: what Google did to Dejanews. Just look at all these complaints about stuff that used to be on Usenet that is no longer available: hn.algolia.com/?query=groups%2

@jbond

The part about HTTPS totally makes sense. I've been struggling to articulate this for a while.

@akkartik @jbond wait how does the https part make sense?

I get that it's a hassle but that is some sort of Google conspiracy or will increase their control of the web seems totally tin foil hat.

@britt @akkartik There's a side effect here of Google's monopoly. Search+Chrome+Android means that regardless of whether https is necessary in a particular case, Google can effectively hide any site or source that doesn't use https. You can see that as a good thing or a bad thing. And you don't need tin-foil-hatage to see it. More likely is that Google will just do something, for reasons, and we'll just have to put up with it. No malice, just unforeseen consequences.

@jbond @britt Consider the example of mail standards. Google has done a bunch of stuff that is plausibly to address spam that has the side effect of making it much harder to get deliverability with a DIY mail server.

I've kinda assumed HTTPS was a stronger case than this, but Dave Winer is now giving me reason to put the two phenomena in the same category.

@akkartik @britt yup. I'm also just tired of the endless developer taxes on the small developer. I get it that any site big enough to have a two developer team should deal with cookies, GDPR, https, etc etc etc. But now I'm no longer paid to develop, I resent that I'm told I have to play along.

@jbond De-listing or aggressively demoting HTTP only sites in ranking seems like too heavy handed of an approach.

@akkartik I think there is something useful about telling people your blog is not encrypted, though it shouldn't be marked "dangerous" like submitting an unencrypted form. Whoever is sitting on the network can see that I'm going there which is a bit of my data, but also I can't know that the contents haven't been tampered with in transit. Seems tinfoil hat until you use hotel wifi.

@britt Ah, that's a useful distinction. Google doesn't seem to have the incentive to properly distinguish those two cases.

@britt I guess they're finding that the padlock on the location bar isn't salient enough for laypeople. And it's probably getting gamed to heck.

@akkartik General UX criticism: The padlock is too subtle I think. Changing the color of the whole address bar or something similar would be better.

@britt @akkartik I think level of intrusiveness should change based on user activity, read vs post comment vs enter credit card....

@britt @jbond There's lots useful about https. But there's nothing useful about telling people that my blog is somehow dangerous when it has no data of theirs to secure.

Nobody's saying there's some grand conspiracy. It's just differential supervision once again. Security people have a tendency to ignore usability because it makes their job harder. Similarly, Google has a tendency to standardize all websites to be easier for *them* (i.e. Google Chrome) to manage.

@akkartik @britt @jbond Without content signature TLS provides your blog could indeed be dangerous to the visitor coming from public networks like sponsored or free WiFi: DNS poisoning, content injection, traffic redirection and other MITMs.

@dpwiz @akkartik @britt Blogs especially, but also information websites have a tendency to be long running and have embedded images inserted years (even decades) ago that are served as http. So at least some of the content ends up being mixed http / https. Which then throws security warnings. Actually fixing all this can be a major piece of work.

@jbond @akkartik @britt Everything is broken in multiple places, I know. And until we jump over to GNUnet or something TLS we'd better work on the fixing and making fixing easier.

(Nevertheless, PKI delendam esse)

@jbond Exactly. Since most of those old pages don't tend to have ads, they're invisible to Google. Classic Authoritarian High Modernism (ribbonfarm.com/2010/07/26/a-bi)

/cc @dpwiz @britt