Re: A private Internet? (was: Re: Venting about forums.debian.net)
Hi,
On Tue, Jan 20, 2026 at 02:41:29PM -0500, rhkramer@gmail.com wrote:
> I wonder if a new more private Internet could be created on top of the
> existing Internet maybe where all participants communicate by VPN (or maybe
> all sites are encrypted (or have encrypted sections after an unencrypted
> portal).
>
> I thought about (and quickly discarded) the idea that a new Internet could be
> created, with all necessary physical and non-physical infrastructure from
> which bad actors could simply be excluded. (Or kicked out if they are found
> to be bad actors.)
>
> I'm wondering if, as an alternative to that, some sort of private encrypted
> network could be created?
Can you expand upon this idea as it related to, say, forums.debian.net?
It's already on HTTPS so it's already encrypted.
It could easily refuse to display any content whatsoever unless you
were logged in as a registered user. There are fairly obvious reasons
why it they do not choose to run it that way.
Instead of usernames and passwords it could authenticate via client
certificates that it issued on registration. The downsides of that sort
of approach are well known.
At the heart of the problem is that people running services like
forums.debian.net¹ do not want to make it difficult for reasonable
clients to access their data. What we lack are good ways to separate
reasonable and unreasonable clients without making access too difficult.
You could choose to expand this notion beyond the individual site, so
instead of it being forums.debian.net working out its own authentication
scheme there were some central service managing the identities of the
users. The benefit here would be that it would be easier to enrol users
since they would need to do so for multiple services. Once enrolled they
have easy access to everything using that scheme. The nasty down side is
that this provides an attractive target for personal information leakage
and it's still pretty annoying to use. In the real world the only setups
like this are either single sign on for workplaces or other institutions
where it's a requirement to use it, or they are mandated by law like the
recent crackdown on access to sexually explicit content. Which is not
going well.
Decentralized identity providers exist that can be self-hosted, like
OAuth. These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.
Important services won't want to trust an identity provider that they
don't control, again unless mandated to by law,
In a walled garden where the state issues you an electronic ID and
provides the services to authenticate that ID, it ought to be possible
to create even third party services that could reason about their users
without necessarily having to know exactly who they were. e.g. "This
HTTP client is providing an access token that belongs to a citizen of
Elbonia as attested by the Elbonian government, so I'll let them view my
whole site. Oh, they are now being abusive, so please revoke that token
and don't issue any more to that citizen for the next 30 days."
That technology exists, but the governance doesn't, as far as I am
aware. Maybe the current unpleasantness will force it to come into
existence, though I suspect that no government will be visionary enough
to do a good job of it, preferring to take easier solutions that they
understand better, like passing laws that make it other peoples'
problem.
Thanks,
Andy
¹ This is just my opinion as a generalisation. I don't have any insight
into the actual thoughts of the operators of forums.debian.net. I
don't even know who they are and I'm not a user of it myself.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: