←back to thread

408 points blindgeek | 3 comments | | HN request time: 0s | source
Show context
jchw ◴[] No.42173090[source]
I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

replies(15): >>42173427 #>>42173571 #>>42173573 #>>42173636 #>>42173652 #>>42173854 #>>42174051 #>>42174079 #>>42174452 #>>42174502 #>>42174730 #>>42174882 #>>42175601 #>>42175632 #>>42175764 #
Telemakhos ◴[] No.42173427[source]
This doesn’t feel so much like the end of the “open web” as it does a rehash of USENET and email spam issues. Social media killed USENET, and email managed its spam issues thanks to filtering.
replies(2): >>42173566 #>>42173684 #
1. jchw ◴[] No.42173566[source]
Email kind of solved its SPAM issues, but it came at great costs. It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures. The degree of difficulty with participating in the network does somewhat degrade its openness in my opinion.

If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)

I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.

replies(1): >>42173766 #
2. martin_a ◴[] No.42173766[source]
> It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures.

In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...

replies(1): >>42173988 #
3. jchw ◴[] No.42173988[source]
I have been running web services for around 22 years I believe. At the very beginning, I had zero problems with deliverability to most addresses. However, even early on, I do remember plenty of forums that mentioned that Yahoo! or Hotmail tended to drop their confirmation e-mails into SPAM. Smaller operators had an advantage in being lower volume; I think that gives you a higher likelihood of delivery. That said, their emails are also more likely to get caught up in SPAM filters without remediation.

Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.

Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!