Wandering Thoughts archives

I think you should get your TLS configuration advice from Mozilla

If you decide that you care about having good TLS support in, say, a web server and look around, there are a lot of places that will tell you all about what configuration you should have in order to be secure and widely available and so on. Old ones live on in their dusty now-inaccuracy (TLS configuration advice has a half life of six months at most) and new ones spring up every so often. Many of them contradict each other in whole or in part. The whole thing is one of the frustrations of good TLS in practice.

Given this, I've wound up with the strong opinion that you should be getting your TLS configuration advice from the Mozilla server side TLS configuration guide. It's certainly become my primary source of configuration guidelines and I've been happy with the results.

(Other worthwhile resources are the Mozilla web server config generator and the Qualys SSL Server Test. Note that I've seen some people disagree with the SSL server test's scoring of some things.)

The advantage of Mozilla's guide isn't just that it seems to be good advice. It has two important virtues beyond that, virtues that I feel make it trustworthy. First, it's actively maintained by people who know what they're doing. Second, it's such a visible and public resource that I think any bad advice it has is very likely to produce reactions from knowledgeable outsiders. Some random person writing an article with bad TLS advice is yawn worthy; there might be a little snark on Twitter but that's probably it. Mozilla getting it wrong? You're very likely to hear a lot of noise about that.

Other TLS configuration advice may be perfectly good, well maintained, and written by people who know what they're doing (although my experience leads me to believe that it often isn't). But as an outsider it's much harder to tell if this is the case and to spot if (and when) it stops being so, which makes using the advice potentially dangerous.

My view on the potential death of the ad-supported web

Partly due to the impending release of iOS 9, a certain amount of angst has been written lately about the potential increasing future of adblocking on the web. One of the things often written in such articles is more or less 'how will you like it if widespread adblocking kills the ad-supported web?' Well, it's funny you should mention that.

I'm sure that in the short term I would hate the decline of the ad supported web. Like pretty much everyone, I visit plenty of ad supported websites every day and use a certain number of ad supported services like Twitter. Having them go away or become paywalled would be disruptive and quite unwelcome; it's already annoying enough when I follow a link and hit a paywall and the more often that happens the more annoying it would be.

But in the long term? In the long term I'd be fine, and such a shutdown would probably even be good for me. The reality is that essentially all of the ad supported sites I visit are diversions. They're entertaining and informative and amusing and above all absorbing, because that's what the modern web has driven such sites to be, but they're not essential or even important; they're just how I pass time on the Internet right now. These sites are very good at getting me to visit and to spend time on them, but while that is (currently) good for the sites that is not necessarily good for me. In many ways I'm a rat pressing a lever for an intermittent reward, even if the reward is fun; it's almost all a giant distraction that drains my time in little increments.

(This includes newspaper sites, by the way. Knowing the news, especially in detail and up to the minute, is not essential or even important for me or many other people.)

The sites and services that I really care about are almost entirely boutique products of passion, and they're mostly going to continue for as long as that passion lasts. Oh, some would die when their 'free' ad-subsidized hosting dried up, but the cost of hosting your own website has fallen to amazingly cheap levels today. A good number of the people who care would continue in various ways and forms.

The hard reality is that the Internet was a perfectly fine place in the days before ad supported things were a thing. The Internet inhabitants back then found plenty of ways to spend our time, just as we do today; they were just different ways. In fact many of those old diversions are still around today, lurking in the corners and ready to be revived if needed. To the extent that the Internet was less diverting in the old days, well, I got other things done, often more in-depth things than constantly following Twitter and other sources of chatter and diverting links. I wouldn't entirely mind going back to that world, even if I lack the willpower to move there on my own.

(If Twitter went away, for example, I'd expect several of my online communities there would wind up on IRC channels. Or someone would put together a boutique version of Twitter for the small community. What makes Twitter hard is not the basic features, it's the scale. Drop the scale and you can support a few thousand people on a cheap virtual server.)

By the way, I have to admit that all of this rests on the assumption that not absolutely all of the ad supported Internet will dry up, just a lot of it. I would be fairly badly affected if Internet search stopped existing, and that's ad supported. But I don't think adblockers have any chance of killing that, whereas they do have a chance of killing even things like major newspaper websites.

(People who use GMail et al are also probably fairly safe, and things like Github are not ad-supported. As for eg Firefox development, well, we'll have to cross our fingers there.)