I agree with pretty much everything on that page except:
> Web page annoyances that I don't inflict on you here / I don't use visitor IP addresses outside of a context of filtering abuse.
This point bit me personally about 5 years ago. As I browsed HN at home, I found that links to her website would not load - I would get a connection timed out error. Sometimes I would bookmark those pages in the hopes of reading them later. By accident, I noticed that her website did load when I was using public Wi-Fi or visited other people's homes.
I assumed it was some kind of network routing error, so I emailed my Canadian ISP to ask why I couldn't load her site at my home. They got back to me quickly and said that there were no networking problems, so go email the site operator instead. I contacted Rachel and she said - and this is my poor paraphrasing from memory - that the IP ban was something she intentionally implemented but I got caught as a false positive. She quickly unbanned my IP or some range containing me, and I never experienced any problems again. And no, I never did anything that would warrant a ban; I clicked on pages as a human user and never botted her site or anything like that, so I'm 100% sure that I was collateral damage for someone else's behavior.
The situation I saw was a very rare one, where I'd observe different behaviors depending on which network I accessed her site from. Sure, I would occasionally see "verification" requests from megacorps like Google/CAPTCHA, banks, Cloudflare, etc. when I changed networks or countries, but I grew to expect that annoyance. I basically never see specific bans from small operators like her. I don't fault her for doing so, though, as I am aware of various forms of network and computer system abuse, and have implemented a few countermeasures in my work sporadically.
> I don't force you to use SSL/TLS to connect here. Use it if you want, but if you can't, hey, that's fine, too.
Agreed, but I would like HN users to submit the HTTPS version. I'm not doing this to virtue-signal or anything like that. I'm telling you, a number of years ago when going through Atlanta airport, I used their Wi-Fi and clicked on a bunch of HN links, and the pages that were delivered over unsecured HTTP got rewritten with injections of the ISP's ads. This is not funny and we should proactively prevent that by making the HTTPS URL be the default one that we share. (I'm not against her providing an HTTP version.)
As for everything else, I am so glad that her web pages don't have fixed top bars, the bloody simulated progress bar (I like my browser's scrollbar very much thank you), ample visual space wasted for ads (most mainstream news sites are guilty), space wasted mid-page to "sign up to my email newsletter", modal dialog boxes (usually also to sign up to newsletter), etc.
> As I browsed HN at home, I found that links to her website would not load
Thanks for mentioning this, because I was having the same issue and I was surprised no one was mentioning that the site was (appeared to be) down. Switching to using a VPN made the post available to me.
It's probably reasonable to use HSTS to force https-aware browsers to upgrade and avoid injection of all the things she hates. Dumb browsers like `netcat` are not harmed by this at all. But even then ... why aren't you using `curl` or something?
> It's probably reasonable to use HSTS to force https-aware browsers to upgrade and avoid injection of all the things she hates.
There's a broad spectrum between a browser that is "aware" of https and a browser that has all the cipher suites, certificates, etc to load a given page.
If a browser does not support modern TLS (SSL), it probably also has unpatched security flaws. Unpatched browsers should never be used on the Internet because they will get hacked.
Sure but as a server operator, who cares? I already have zero trust in the client and it's not my job to punish the user for not being secure enough. If they get pwned, that's their problem.
Unless I'm at work where there's compliance checkboxes to disallow old SSL versions I'll take whatever you have.
> Web page annoyances that I don't inflict on you here / I don't use visitor IP addresses outside of a context of filtering abuse.
This point bit me personally about 5 years ago. As I browsed HN at home, I found that links to her website would not load - I would get a connection timed out error. Sometimes I would bookmark those pages in the hopes of reading them later. By accident, I noticed that her website did load when I was using public Wi-Fi or visited other people's homes.
I assumed it was some kind of network routing error, so I emailed my Canadian ISP to ask why I couldn't load her site at my home. They got back to me quickly and said that there were no networking problems, so go email the site operator instead. I contacted Rachel and she said - and this is my poor paraphrasing from memory - that the IP ban was something she intentionally implemented but I got caught as a false positive. She quickly unbanned my IP or some range containing me, and I never experienced any problems again. And no, I never did anything that would warrant a ban; I clicked on pages as a human user and never botted her site or anything like that, so I'm 100% sure that I was collateral damage for someone else's behavior.
The situation I saw was a very rare one, where I'd observe different behaviors depending on which network I accessed her site from. Sure, I would occasionally see "verification" requests from megacorps like Google/CAPTCHA, banks, Cloudflare, etc. when I changed networks or countries, but I grew to expect that annoyance. I basically never see specific bans from small operators like her. I don't fault her for doing so, though, as I am aware of various forms of network and computer system abuse, and have implemented a few countermeasures in my work sporadically.
> I don't force you to use SSL/TLS to connect here. Use it if you want, but if you can't, hey, that's fine, too.
Agreed, but I would like HN users to submit the HTTPS version. I'm not doing this to virtue-signal or anything like that. I'm telling you, a number of years ago when going through Atlanta airport, I used their Wi-Fi and clicked on a bunch of HN links, and the pages that were delivered over unsecured HTTP got rewritten with injections of the ISP's ads. This is not funny and we should proactively prevent that by making the HTTPS URL be the default one that we share. (I'm not against her providing an HTTP version.)
As for everything else, I am so glad that her web pages don't have fixed top bars, the bloody simulated progress bar (I like my browser's scrollbar very much thank you), ample visual space wasted for ads (most mainstream news sites are guilty), space wasted mid-page to "sign up to my email newsletter", modal dialog boxes (usually also to sign up to newsletter), etc.