web0 manifesto

“…web0 is web3 without all the corporate right-libertarian Silicon Valley bullshit.”


Sign your name and join me in starting the year as you mean to go on: without tolerating any bullshit.

Happy New Year! :)

#web0 #SmallWeb #SmallTech

G’morning folks, how lovely to wake up and see the new signatures on the web0 manifesto


By the way, if you are having trouble signing because your email server implements an archaic anti-spam technique called greylisting. I’m going to look into adding basic support for it but please also contact your email provider and remind them it’s 2022. Spammers have long worked around greylisting. Today, it just makes things harder for legitimate small web use cases.

Also, some folks have mentioned on the fediverse that they don’t have a web site to link to… please feel free to use the link to your fediverse account (Mastodon, etc.)

But please don’t link to people farmers like Twitter, Facebook, etc., or to sites with trackers from them.

I’m going to look through the links today and contact you to see what we can do if any look problematic.



Finally, a couple of you have reported not being able to add your site if it doesn’t load over a secure connection (TLS).

That’s by design :)

It’s 2022 and we should all be doing our best to encourage good practices. HTTP is not secure. It means people who visit your site could be hit with man-in-the-middle attacks.

Thankfully, we have a free/automated way to implement TLS now with Let’s Encrypt.

And servers like Site.js (sitejs.org) do it automatically for you.


@aral I am a big fan of and use it on many systems. However, there is a legitimate opposing viewpoint: 1) it prevents self-sufficiency; 2) A small set of large orgs decide who's a legit CA for billions; 3) Let's Encrypt won't issue certs for countries the USA has sanctioned.

author has expressed his thoughts in more detail on this: lists.cypherpunks.ru/archive/n and lists.cypherpunks.ru/archive/n and lists.cypherpunks.ru/archive/n . It led me to hosting a TLS mirror of the site

@aral Alternatives to [thread]

There are lots of alternatives to TLS out there. At the protocol layer, things such as and can make things secure. , like @cjd 's () before it, is an overlay network where every target IP is essentially a public key. also helps here.

@aral @cjd Alternatives to 2/

Moving up a layer, TLS can be used without public CA infrastucture (eg, ) by exchanging key validation information in other means. Also, the protocol is a viable TLS alternative in many cases.

@aral @cjd Alternatives to 3/

Multiple app-level projects exist to build a distributed Internet (or web), and most of them have E2E encryption built in. Examples: and /#Hyperdrive as distributed filesystems/websites, for general communication, (gossip) for social, for data sync, for asynchrnous transfer, and for E2E IM, etc.

@aral @cjd Alternatives to 4/

TLS only protects data in motion. It does not protect against, eg, hacked webserver. Things such as ( or ) signatures still have a place and prove more about authenticity than TLS does. With signed content, in fact, TLS is much less useful (maybe preventing an attacker from showing you outdated content) which is why many Debian mirrors -- whose content is fully authenticated by apt -- have historically been non-https.

@aral @cjd Alternatives to 5/

Projects such as aim to put many of the technologies I've mentioned here, and then some (eg, ) in the hands of people via very low cost hardware and Open Source software on it.


@aral @cjd Alternatives to end/

If you're thinking of and and a , think about security more broadly than TLS. TLS is useful, but the security story is more broad than that. I could go on: hidden services, , , etc., are all things that secure without TLS. Many of the things I've mentioned secure BETTER than TLS, at least on some respects.

should be broad, about all this!

@jgoerzen @cjd Indeed. I see Small Web as one approach to web0. We need many.

@aral @cjd Yes! Perhaps I understood web0 to encompass the many. I believe, by the way, that the days of an individual being able to easily run a public webserver on the likes of a Pi at numbered, or maybe already past. Internet access is common, but listing on port 443 on a stable IP with enough power to withstand the routine bad actors isn't. It may not be exactly, but we desperately need some sort of decentralization to make this feasible.

@aral @cjd My own website - which is good enough to usually withstand a mention on Hacker News - runs on a grunty box in an OVH data center. It isn't even popular at all, but it's been decades since I could host it at home. The attacks come in at many requests per second usually. It would never survive anything "going viral". Yes people can rent server or hosting space in whatever form, but real power to the people requires more aggressive decentralization.

@aral @cjd But still, those things aren't really here yet, so incremental improvements are needed and welcome!

@aral @cjd Let me summarize this way: the effort should focus on the concept of the decentralized web (free hypertext linking across the globe, embedded media, low-ftiction publishing, etc.) rather than tying to a specific contemporary protocol that may or may not really be able to usher in that kind of reality.

Sign in to participate in the conversation

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).