But since you brought this up, I must confess, I have one itching curiosity: does Chrome still support plain HTTP? I bet it does, doesn't it? In fact you've probably used it to comment on this blog. Which goes to show that for all of Google's yapping about "making the web more secure", they've also failed.

From what I can tell, it pretty much went this way: first they told everyone that SSL is required as a catch-all for web content authentication -- and encryption, but that's besides the point. Then they (and Let's Encrypt or whatevs) lowered the bar to SSL certificates, so that everyone and their dog could avoid being labeled as "not secure", but at the cost of some terrible UX, employing warnings and whatnot, including for sites such as this one. Meanwhile, naturally, the bad guys also designed their sites using the same PKI mechanism. So then the PKI peddlers made a two-tier system, which would only show some sites using the green padlock. So then the bad guys got really smart -- which no one could have predicted, amirite? 'cause y'know, researchers aren't paid to think, they're paid to research -- and they made sites that perfectly replicate the originals, using similar domain names to the originals.

So from what I've heard, since nowadays the average folks can no longer tell the originals from the scams, and to turn things into a true Kafkian nightmare, Google has employed... blacklisting. Which I bet uses all that AI sauce behind the scenes for classification, so when you're opening a new site, it will be blacklisted by default. True story bro, I'm really not talking from my ass.

So then tell me, what have Google succeeded in this period of almost eight years? They sure as hell haven't made the web safer; they haven't even managed (as I thought back in 2017) to co-opt the field, since here I am still using HTTP 1.1 to deliver whatever version of HTML/CSS content which, as you said, just renders. The only thing that they're sorta managing, from what I can tell, is to make people flock towards LLMs, making that and a couple of other sites their only gateway to the internet.

I for one don't mind, so long as I stay as far away as possible from all this garbage.

Sounds stupid. Google Chrome does support HTML version 4 & absence of CSS or downloadable fonts will not prevent Google Chrome from displaying HTML page.

LE: I tried some htaccess voodoo that should hopefully fix the issue. Until next time, I'm sure.

So now everyone is sorta kinda filling the "tech space" with this discussion on attestation, meaning, in short, that in order to access Google or Apple or some other big fish, your browser should no longer be yours. In other words, it should perform an incantation based on some inputs that are controlled by the vendor and which attest that said software comes from a "trusted source". In practice, this means that the browser will have to rely on some chain of trust originating in the hardware, much like DRM does for example.

On one hand: boss, didn't you have like, client-side certificates for that?

On the other hand: do you see how this is a shoddy reimplementation of the WoT, with Google and Apple as top nodes?

On yet another, third, alien hand: do you see how this creates a system of agreements between these corporations, a la "I'll suck yours if you suck mine", since now everyone is going to keep a whitelist of vendors they like, which will come from Inca itself. For example, good luck using a Huawei phone in the US if or when this is implemented.

I guess the bottom line is, let 'em have their HTTPS and their attestation and whatnot. We can do well without them wonders of modern technology, with our retrograde HTTP implementations from times now gone, and with our other various super sikrit tools.