Goodbye Plato

SMTP MTA Strict Transport Security has to be one of the most confused RFCs ever published. The goal is to allow SMTP receivers to inform senders that fully validated TLS should be used. I implemented it for my domain years ago but didn’t think too much of it. But now I am going to implement it for FeedMail and am realizing how poorly designed it...

I recently took a trip to the Yukon (and two days in Alaska) with my partner Elaine. The trip was mostly hiking focused and generally enjoying the nature. We took almost two weeks which was a good amount of time for us. Enough to not rush and soak in a lot of nature but not so long that our legs really started hurting and we started missing the...

CORS, and the browser’s same-origin policy are often misunderstood. I’m going to explain what they are and what you need to do to stop worrying about them.Note: I’m going to talk about CORS and the same-origin policy as one thing and use the terms mostly interchangeably. This is because they are basically one system, they work together to decide...

I like SemVer. However, there is one important use case that I wish it supported better. This is what I’ll call “rolling deprecation”.The idea is simply that instead of removing APIs in a single compatibility-breaking version, you first deprecate an API in one version, then remove it in a later version. This gives time to migrate off of the...

Many widespread internet protocols were written at a time when internet security wasn’t much of a consideration. From things like lack of From address verification in email to NTP reflection there are lots of protocols that are now considered badly designed. When they were authored there was a lot of implicit trust (For example because there were...