# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 32
# self = https://watcher.sour.is/conv/4xke5sa
Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and โhopingโ for a redirect.
I think today was the first time that this didnโt work. ๐ค A web server had misconfigured HTTPS, only HTTP worked.
Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and โhopingโ for a redirect.
I think today was the first time that this didnโt work. ๐ค A web server had misconfigured HTTPS, only HTTP worked.
Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and โhopingโ for a redirect.
I think today was the first time that this didnโt work. ๐ค A web server had misconfigured HTTPS, only HTTP worked.
@movq Its pretty easy to get wrong honestly ๐
That is, its pretty easy to misconfigure a web server to do HTTP -> HTTPS redirects ๐คฃ and end up causing redirect loops ๐
@movq Its pretty easy to get wrong honestly ๐
That is, its pretty easy to misconfigure a web server to do HTTP -> HTTPS redirects ๐คฃ and end up causing redirect loops ๐
@prologic Sure, that can happen. ๐
(If browsers defaulted to using HTTPS, such a redirect would not be required โ anymore. Maybe the time has come for browsers to do that?)
@prologic Sure, that can happen. ๐
(If browsers defaulted to using HTTPS, such a redirect would not be required โ anymore. Maybe the time has come for browsers to do that?)
@prologic Sure, that can happen. ๐
(If browsers defaulted to using HTTPS, such a redirect would not be required โ anymore. Maybe the time has come for browsers to do that?)
@prologic Sure, that can happen. ๐
(If browsers defaulted to using HTTPS, such a redirect would not be required โ anymore. Maybe the time has come for browsers to do that?)
@movq Maybe... I mean I can't think of any reason not to, thinks like [minica])(https://github.com/jsha/minica) basically make generating a CA and Certs essentially a breeze, so there's no reason why browsers can't just default to HTTPS -- even for local development.
@movq Maybe... I mean I can't think of any reason not to, thinks like minica basically make generating a CA and Certs essentially a breeze, so there's no reason why browsers can't just default to HTTPS -- even for local development.
@movq Maybe... I mean I can't think of any reason not to, thinks like minica basically make generating a CA and Certs essentially a breeze, so there's no reason why browsers can't just default to HTTPS -- even for local development.
@prologic I have to say, these automagical methods that generate certificates and keys on the fly make me very nervous, securitywise. I think they defeat some of the purpose behind certificates: an automated system is not really an "authority".
that said, i have caddy with Let's Encrypt sitting in front of my yarn pod, so.....can't beat the convenience.
@abucci You are right, I often wonder how secure those Certificate Authorities (CA) _really_ are in the first place and how _much_ they can or cannot be trusted ๐
@abucci You are right, I often wonder how secure those Certificate Authorities (CA) _really_ are in the first place and how _much_ they can or cannot be trusted ๐
@prologic @abucci The entire public key infrastructure is kinda a joke, tbh. Let's Encrypt made HTTPS free, but in practice that mostly just means malware can be delivered securely to your PC. EV certs made a lot more sense, but Google had to deprecate those, VMC appears to be a potentially worthy replacement though.
@ocdtrekkie @prologic clearly we're all just going to have to meet up and have a key exchange party, preferably somewhere sunny and nice. ๐๐
@ocdtrekkie
> A Verified Mark Certificate (VMC) is a digital certificate issued by a certificate authority that verifies logo ownership. Your logo must be a registered trademark before receiving a VMC. A VMC verifies that your organization is the legal owner of your brand logo. Using a logo with a VMC helps prevent spammers and other malicious users from ...
Uggh that basically makes open source and hobbyist stuff impossible ๐ณ
@ocdtrekkie
> A Verified Mark Certificate (VMC) is a digital certificate issued by a certificate authority that verifies logo ownership. Your logo must be a registered trademark before receiving a VMC. A VMC verifies that your organization is the legal owner of your brand logo. Using a logo with a VMC helps prevent spammers and other malicious users from ...
Uggh that basically makes open source and hobbyist stuff impossible ๐ณ
@abucci Me neither! ๐ข Not unless you include my mug shot (face) ๐คฃ
@abucci Me neither! ๐ข Not unless you include my mug shot (face) ๐คฃ
@prologic It does, but EV was already just prohibitively expensive. It's very hard for corporations to distinguish between malware authors and hobbyist developers, unfortunately.
@abucci Well in this case the problem is that corporations tend to make and control all the web browsers.