When I first got online, the World Wide Web was still in its infancy - so CompuServe was my gateway to the Internet. I loved their well organised chat room. A couple of clicks and I could be discussing Babylon 5 with people in another country, downloading wallpapers, and uploading my poor attempts at fan-fiction. Magical.

At some point, I discovered Usenet and its decentralised collection of newsgroups. This required downloading, installing, and configuring an NNTP client. Quite the world away from CompuServe's shiny software delivered on a free CD. But I persevered and, by the time I went to university, understood all the intricacies of PLONK, ROFL, and Godwin's Law.

My university experience was dominated by Usenet. It was where nerds went to socialise. I bought and sold computer equipment, published terrible poetry, and learned about LGBT matters. I lurked in the comp.lang.* hierarchy until I was confident enough to ask my Prolog questions without making it look like I was asking for help with my university assignments.

And then, one day, I just stopped.

There are three main reasons that I remember.

First was moderation. Sites like Slashdot were - at the time - pretty good at moderating out crap comments. Usenet was a stream of consciousness and, short of blocking individuals, there was no way to separate the interesting topics from the dull. Without upvoting and downvoting, it became tedious to read. And there was very little feedback on whether people found your posts useful.

Secondly was reputation. Sites like AVForums and eBay allowed you to see who was a reliable buyer and seller. Every transaction on Usenet was a risk. You might send money or goods to a scammer. Look, eBay wasn't perfect - but it made it easy to see how many successful transactions an account had made.

Thirdly was the user interface. Usenet looked dull. In a world of animated GIFs and MySpace colour schemes, Usenet didn't even have avatar images! Sure, the spartan nature meant that you could focus on a conversation - but it didn't feel as modern and exciting as the web did. NNTP software was fragile.

And so, slowly but surely, I drifted away from newsgroups into the tender embrace of web forums, Reddit, and Slack. All of them centralised (booo!) and privately owned (boooo!) but all having a nicer UI and UX (yay!)

I should briefly mention Google buying the Deja News archive, promising to revitalise Usenet, and then promptly abandoning it. Cheers Google. Choogle.

While Reddit goes through its "are we the baddies?" moment of banning all 3rd party clients and fucking over its unpaid labour force, I thought I'd return to see if Usenet was still a viable option. There was only one modern newsreader listed by my Linux distro - Pan which hasn't been updated in a year and has a GUI which gave me instant nostalgia. That's not a good thing by the way.

I couldn't find any Open Source Android apps for reading newsgroups.

And, as it happens, my ISP killed off their Usenet server a couple of years ago.

As I've said before - Slack is just IRC with a better UI. Dropbox is FTP with a better UX. WhatsApp groups are just ListServes for people who don't know how to configure a server.

Reddit was Usenet with a sparkly front-end.

User Experience matters. That's why Usenet lost. It was hard to set up, there was a ton of terminology to learn, sticky posts with group etiquette didn't exist, trolls and grieffers couldn't be moderated away, and the whole thing looked like a 1990s shareware accountancy package.

I'm a little sad that Reddit is further enclosing the commons. And I doubt this will lead to a resurgence in Usenet. But I hope it will give open source and open standards developers a little jolt towards designing user experiences which are fun and easy to use.

Buried in amongst all the hullabaloo from whinging ungrateful brats thoughtful comments from people with justifiable concerns, was this snippet from a Reddit employee:

An Improved Web Experience - Reddit

Long time readers will remember that I resigned from the Google AMP Advisory Committee having been a long time critic of the project.

AMP was an interesting idea (what if we made HTML fast again?!) and brought forth some interesting technologies (like Signed Exchanges) - but it ended up being a re-invented WAP⁰ which routed everything through a single point of failure.

I genuinely hate to see projects fail - but I can't help but hope this is the start of more people realising that giving unfettered control to an abusive monopoly like Google isn't a good decision.

The email I received from Reddit was charmingly lo-fi and eschewed those bourgeois capital letters.

Notice the (teensy tiny) flaw? Yup, it's using vanilla "http" rather than the super secure "https".

Earlier this year, Reddit switched on SSL for their entire site. Somewhat annoyingly though, they do not force SSL for the site. If you want to ensure all your sessions are encrypted, you have to manually set it up in your preferences.

I find that a little disappointing. I know that there is a cost associated with 100% SSL coverage on a major site like Reddit, but surely because of the site's popularity they should mandate it?

Anyway, I reported this minor problem to the security email address listed on their bugs page. A few minutes later, they replied.

Thanks for the report! While I don't believe there's any vulnerability introduced if we leak the verification token here (being that the intended recipient must have wanted to verify it if they clicked it, and tokens are tied to both the email and account,) I've got a fix for this that should go out this week.

A day or two later and it was fixed.

I'm trying really hard to come up with a malicious use for a MITM attack on this. There's not much.

The "dest" parameter doesn't appear to be hackable. It won't point to any site other than Reddit. So you can't redirect the user to a malicious site. What you can do is redirect to any Reddit post or page. Perhaps sending someone to a particularly disgusting post could be legally disadvantageous?

Of course, a malicious actor on the network could sniff the user's login credentials if the user hadn't noticed the lack of HTTPS.

So, there we are. A minor bug, swiftly fixed - and a general reminder that when you switch on HTTPS, make sure all of your communications with your users are updated to reflect that fact.