But how many systems do we really need here, though? Where do you draw the line? Can I have an RSS feed that's updated automatically when someone says something in IRC? I'll just sub to the RSS feed, but only if it also converts the text into Markdown so I can...
Why isn't Discord just enough? Or just IRC? Honestly I think this fragmentation that gets suggested is why a lot of projects fail; never stand the test of time: they try to be everything to everyone.
I agree but I honestly just don’t like discord. Most of the times I use it on my mobile and my computer it chugs resources like if there was no tomorrow. But this is just my opinion and yeah, it was just a suggestion, I wouldn’t have refused to join if it were only on Discord. Although for the event in question I was not able to attend because I overslept.
Looking forward to writing HTML together tomorrow at 2PM EST. You can join our discord to share your writing/websites [1] during the freewrite.
Also we just wanted to share a little more about HTML Energy. It’s still coming together but here are some of our big dreams…
- Create a #web0 movement: We would love to see a new movement around web0 (coding HTML by hand, personal websites, webrings, etc). Basically anything that brings websites instead of platforms into the spotlight again. We are actually pretty inspired by all the energy that is going into web3 right now. What if that same energy and capital was going into web0? What could we create together?
- Rebrand HTML [2]: Some people think that HTML is outdated or hard to use. We think it’s actually pretty straightforward and really powerful stuff. Stripping away all the paint (CSS/JS) really makes the content the focus and there's a raw sincerity to an unstyled page. Our goal is just to get people excited about learning & writing HTML and this is our attempt at making it "cool."
- Getting HTML into schools: What if more people knew how to self host/publish? Would we depend on big platforms less? Would people begin making more small community websites to chat with their friends?
- Create another season of our podcast [3]. Last season we talked with so many incredible people that are trying to make the web a better place. Let us know if you listened and would want another season.
Hello, very interested in this, thanks for making this event. Maybe I’ll join tomorrow.
This is one of the few websites that don’t force you to use https even though it does have it! Impressive.
In the spirit of keeping things open and without a user account, I’d recommend setting up some jitsi [0] conference rooms that don’t require an account.
> This is one of the few websites that don’t force you to use https even though it does have it!
That’s bad, not good. Cleartext HTTP is a nice idea for an ideal world, but that’s not the world we are in: it’s demonstrably a vector for abuse, both passive and active. Save for a very few specific use cases (captive portal detector being the main one), it is irresponsible to support cleartext HTTP for any purpose but redirecting to HTTPS, preferably with a Strict-Transport-Security header so that that particular user agent skips straight to HTTPS forever after.
It is true that this website has no password to steal, but a MITM attack could still be impactful. For example, a MITM attack could inject a <script> tag to run arbitrary client-side code. Any content that is served over HTTP has a risk of being swapped out by a MITM, which is why most browsers are nudging users to only visit HTTPS websites.
With that said, implementing security is a trade-off between your time and risk tolerance.
A variety of ISPs in different countries, including some of the biggest ones in the USA and India, have been performing MITM attacks on HTTP traffic for many years, injecting their own stuff, sometimes to notify you of service-related matters (which is a terrible way of delivering such notifications, especially when it breaks various pages for various reasons), but I’m pretty sure I’ve heard of at least one case of them injecting ads and other potentially malicious stuff too. ISPs as a class have proven themselves untrustworthy, time and time again. Doing anything in cleartext is just asking for them to mangle it.
And that’s just the active. The passive is pervasive too, and is an attack (RFC 7258). And so I use the term “irresponsible” of anyone running any web service except for a very few specific purposes over cleartext HTTP.
There are reasons why we’ve shifted from cleartext to TLS for everything, not just for things conveying sensitive data.
Not to argue against HTTPS, but it is not foolproof in case of a MITM on ISP level. I’m willing to be corrected here, but even if you (as a developer) use HTTPS, unless you are big enough that major browsers pin your certificates, initial connections still use HTTP—so a MITM can replace everything anyway, including presumably any HSTS headers you set; and if you (as a user) are conscious of that and use a private VPN that you trust, then serving a static website like the OP over HTTP shouldn’t be as much of an issue.
I wonder if more malicious code is served from questionable ads on HTTPS sites than from ISP MITM injections into HTTP sites.
Such an MITM-powered phishing attack is certainly possible, but in practice it’s not quite such a problem as it seems at first:
ⓐ With a suitable HSTS and max-age header, it’s roughly only the first time you access the site at all that you’ll go via HTTP;
ⓑ Anyone can submit their site to the HSTS Preload list <https://hstspreload.org>, which solves the problem completely for a particular site (including subdomains);
ⓒ It only applies to people typing in the URL manually: if your users come from a link from another site, that link should be HTTPS.
This final point is really the key to it all, and the place where I wish browsers would hurry up: they should be shifting to interpreting URLs typed into the address bar with no scheme as https:, not http:. There will certainly be some rough edges that need to be caught with it, and you might want to set IP addresses and a small number of names to default to HTTP, but even without that, Firefox’s HTTPS-Only Mode has all the required ingredients: if I type “neverssl.com” into my address bar, it pops up the about:httpsonlyerror page, “HTTPS-Only Mode Alert / Secure Site Not Available” with explanatory text and buttons “Continue to HTTP Site” and “Go Back”. They could do something like that specifically for typed URLs. (You might think “just downgrade automatically”, but that’s an attack vector—they can just block port 443—where requiring manual user intervention with a mildly scary warning mitigates it somewhat.)
The default really should be HTTPS by now. A little while after browsers all finally flip that specific thing over, I think we could collectively shut down port 80 for good, because no clients will ever try it any more.
I can't make it tomorrow, but I absolutely love the concept of a day for engineers to pair with those wanting and willing to learn. That's an awesome idea!
Thanks for this, and I really hope it's a success that you can build on. This is good stuff.
Sure! You don't really need to join the discord (it's just extra like JavaScript).
We will be writing at 2-3PM EST so you can just join us telepathically and if you feel like sharing what you created leave it in a comment here or email us a link [1]. We would love to see!
I’ll try to at least be around to help people on Discord - I may use that time to set up Emmet and build my muscle memory, too, as I have a front end project coming up and haven’t written any substantial HTML in years.
My oldest daughter is 13 and I was planning on helping her set up a side project of her own; a simple static site for her to collect and document her knowledge of horses. I sent her the link. She was just asking about how Markdown got converted to HTML, and a solid foundation in HTML itself would be super helpful.
That seems to be 7 PM UTC. (PSA: if your event isn't geographically limited, please include the time in UTC too - a lot more people know the conversion from that than whatever your local time zone is.)
Sure! We understand that JavaScript and frameworks are nice to have but it feels like everyone depends on them too much these days.
It would be pretty cool if someone that has never made a website before, learned a little HTML, wrote an index.html, and published it on the www. Maybe that person never learns CSS, JS, or any framework and that's totally fine. We think that the simplicity and directness of HTML is what makes it powerful.
