Author’s Note: I’m currently in the process of migrating old blog posts to this new system. That may mean some links, syntax highlighting, and other details are broken or missing temporarily. Sorry for the inconvenience!
It’s been an embarassingly long time since my last post here. Let’s do both of us a favor and skip over that, shall we?
There’s been a campaign recently to push websites to use SSL. You’ll notice that your browser shows you’re viewing this blog post under some “https” url, and there might even be some secure lock icon, provided I’ve got things set up correctly and your browser provides those sorts of indications.
SSL is a good thing. The fact that your browser is using an https url means that the content you’re getting definitely came from me, and not some evil person hijacking your coffee shop of choice’s wifi. BUT!
The Cabal of Kinda Evil People
When you visit an http domain, you’re just assuming that the content you receive came from the sender. With https, there’s a certificate provided as well. My website says “hey, here’s some bloggy stuff, and also, here’s my ID”. Your browser then verifies that ID before showing you the content. Aaaaand if you’ve tried to visit this site over the past month or two…your browser has probably complained loudly.
That’s because I don’t get to just give myself an ID. There’s a cabal of rather evil people who offer IDs that I can purchase for a hundred dollars or so a year. I could just make my own ID, but your browser will reject it. So instead, I have to appeal to companies that are already trusted by your browser, and give them money to agree that I am who I say I am. Then when your browser tries to check my ID, it’ll see that the Internet Mafia vouches for me, and you get this lovely post to read.
As you may have inferred by this subheading, I’m not a fan of this structure.
The Free Internet Authentication Savior
There’s a service called LetsEncrypt. They offer certificates for free, which is pretty awesome. Somehow, they managed to get enough credibility that browsers will recognize their certificates, and that’s pretty great. I’m still not a fan of centralized certificate authorities, but hey, domain name resolution is centralized too, and I’ve only got so much complaineypants energy to go around.
Anyway, I grabbed one such certificate, and I set this site up, using Amazon Web Services. It was great. I had things caching and hosted cheaply; things were behind a delivery network so folks across the globe could read my stupid tiny blog super fast. I was very excited.
Then my ID expired.
LetsEncrypt has decided that it’s a good idea to expire these IDs every three months. It was a real pain to get validated the first time with content hosted on Amazon, and once I finally managed to get LetsEncrypt to validate that I was who I said I was, get Amazon to take that certificate and put it in the right place…I forgot everything about the process.
Too Much Friction
I ended up just letting the site be dead for a while, because I didn’t have the energy to bother reconfiguring things (especially given that I’d have to reconfigure again in another three months). But now I’ve said “To hell with Amazon”, and just thrown things up on a small little server of my own. It’s not as nice and fast, but at least I can manage things decently.
But I don’t like this. I don’t like that we’ve made it incredibly difficult (and barring LetsEncrypt, which isn’t newbie-friendly, expensive) to host your own content on the internet. This whole software-as-a-service thing I’m sure has made a ton of money for Wordpress and Squarespace and everybody else, but it centralizes control.
Maybe I’m whining over nothing. But it seems like every year, it becomes more and more challenging for people to do things their own way on the internet. We just keep adding more and more friction.