-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove MVPS HOSTS because it does not support HTTPS in 2019 #484
Comments
He removed the list a few hours after this was posted. I decline, removing the list exactly at that time is quite curious and downright insensitive -- the list is and has been useful for countless people, and the author stated he would still keep maintaining the list despite his unfortunate health issues. Whoever is bothered by non-HTTPS connection is free to not use the list, it's opt-in. |
Why not request the author to get a HTTPS cert from Lets Encrypt instead ? It's free for starters. |
To Gorhill: Good points for the time being. I was completely unaware of the Reddit thread or of Burgess' recent problems. |
How did you conclude that I have seen that post? I wanted to remove that filter list for a long time, and decided to do it last weekend after being reminded by NanoMeow's log. Considering that I already have enough things to do, if I want to police which filter have not been updated for a while, As you probably know, after this incident, I have created a response protocol in order to properly respond to future incidents -- I still disagree with the way you handled that incident as removing the filter from Being privacy and security conscious, you should have known better about the implications of unencrypted traffic. In order to ensure the integrity of my assets mirror, I cannot let NanoMeow to download filter lists over an insecure protocol. I have voiced my concerns 10 months ago and 5 months ago about issues related to filters served over HTTP. There is no excuse to not use HTTPS in 2019 (actually, in any year after 2016) as Let's Encrypt offers free certificate to everyone. I understand that the author is having health problems recently, but that does not justify not installing a certificate before that as Let's Encrypt is available for years now. I probably will give the author some more time if I knew he was sick, but what's done is done, and he had more than enough time to secure his site before he fell sick -- especially if he claims himself as a MVP.
That is still not an excuse for you to promote it. You have better knowledge about privacy and security than the average user, and you should not make it easier for people to shoot themselves in the foot. |
Oh, also, |
With outdated software and unmaintained servers, it's just a matter of time when the server is hacked and taken over. This is about "when", not "if".
This is downright irresponsible. How could this person claim himself a "most valuable professional" when he unprofessionally ignores significant security issues of his hosting setup? With the time he spent to respond to the email above, he could've mirrored his website to GitHub Pages or something. You know what, maybe I'm missing something. Or maybe @gorhill has some special or personal connections with this person that I'm not aware of. Either way, I don't want to be part of the problem -- I'll also donate $10 if the hosting issues can be resolved and the list is re-licensed under a recognized open source license. |
Partially speaking on behalf of @jspenguin2017, who six days ago chose to remove MVPS HOSTS from Nano Adblocker in NanoAdblocker/NanoCore2@7e708d2, we agreed on bringing up the matter with you guys at uBlock Origin as well.
Not only is MVPS HOSTS not using HTTPS in the year 2019, as one of very, very few adblock lists remaining to not do so, but it will probably never ever get HTTPS for several reasons.
You see, as far as I personally understand the situation, the domain mvps.org was created in the very early 00's to serve as a hub for some members of the Microsoft MVPs program. There's probably a reason why his subdomain has the year 2002 in it, after all; as well as why he use webpage stickers dedicated to Kim Komando and the XP-era Microsoft MVPs logo.
Many years later, WordMVP alleges that mvps.org shut down in January 2017, and that everyone who used to be there moved away from it except the MVPS HOSTS guy. Thus he is now left on a domain that has no technical support whatsoever, that he doesn't own, whose current domain owner doesn't give a darn about anything, and which he seemingly can't do any serious technical changes on whatsoever.
Jspenguin also (as far I understand him) expresses worries about whether the list's licence, https://creativecommons.org/licenses/by-nc-sa/4.0/, is a sufficiently open-source licence for it to really count as being open-source.
I would previously have requested changing the list's sync-link to https://raw.githubusercontent.com/StevenBlack/hosts/master/data/mvps.org/hosts, but as that mirror is not updated instantly, but usually on a delay of several days, I think that just removing the list entirely would've been preferable.
The text was updated successfully, but these errors were encountered: