Hi, On Tue, Jan 20, 2026 at 02:41:29PM -0500, [email protected] wrote: > I wonder if a new more private Internet could be created on top of the > existing Internet maybe where all participants communicate by VPN (or maybe > all sites are encrypted (or have encrypted sections after an unencrypted > portal). > > I thought about (and quickly discarded) the idea that a new Internet could be > created, with all necessary physical and non-physical infrastructure from > which bad actors could simply be excluded. (Or kicked out if they are found > to be bad actors.) > > I'm wondering if, as an alternative to that, some sort of private encrypted > network could be created?
Can you expand upon this idea as it related to, say, forums.debian.net? It's already on HTTPS so it's already encrypted. It could easily refuse to display any content whatsoever unless you were logged in as a registered user. There are fairly obvious reasons why it they do not choose to run it that way. Instead of usernames and passwords it could authenticate via client certificates that it issued on registration. The downsides of that sort of approach are well known. At the heart of the problem is that people running services like forums.debian.net¹ do not want to make it difficult for reasonable clients to access their data. What we lack are good ways to separate reasonable and unreasonable clients without making access too difficult. You could choose to expand this notion beyond the individual site, so instead of it being forums.debian.net working out its own authentication scheme there were some central service managing the identities of the users. The benefit here would be that it would be easier to enrol users since they would need to do so for multiple services. Once enrolled they have easy access to everything using that scheme. The nasty down side is that this provides an attractive target for personal information leakage and it's still pretty annoying to use. In the real world the only setups like this are either single sign on for workplaces or other institutions where it's a requirement to use it, or they are mandated by law like the recent crackdown on access to sexually explicit content. Which is not going well. Decentralized identity providers exist that can be self-hosted, like OAuth. These are highly obscure and probably a dead end: anything that can be self-hosted can be abused to create infinite identities. Important services won't want to trust an identity provider that they don't control, again unless mandated to by law, In a walled garden where the state issues you an electronic ID and provides the services to authenticate that ID, it ought to be possible to create even third party services that could reason about their users without necessarily having to know exactly who they were. e.g. "This HTTP client is providing an access token that belongs to a citizen of Elbonia as attested by the Elbonian government, so I'll let them view my whole site. Oh, they are now being abusive, so please revoke that token and don't issue any more to that citizen for the next 30 days." That technology exists, but the governance doesn't, as far as I am aware. Maybe the current unpleasantness will force it to come into existence, though I suspect that no government will be visionary enough to do a good job of it, preferring to take easier solutions that they understand better, like passing laws that make it other peoples' problem. Thanks, Andy ¹ This is just my opinion as a generalisation. I don't have any insight into the actual thoughts of the operators of forums.debian.net. I don't even know who they are and I'm not a user of it myself. -- https://bitfolk.com/ -- No-nonsense VPS hosting
