Remove MVPS HOSTS because it does not support HTTPS in 2019

[DandelionSprout]

Partially speaking on behalf of @jspenguin2017, who six days ago chose to remove MVPS HOSTS from Nano Adblocker in https://github.com/NanoAdblocker/NanoCore2/commit/7e708d24e84320a2aa9ea22edd6aa65518c2444a, we agreed on bringing up the matter with you guys at uBlock Origin as well.

Not only is MVPS HOSTS not using HTTPS in the year 2019, as one of very, very few adblock lists remaining to not do so, but it will probably never ever get HTTPS for several reasons.

You see, as far as I personally understand the situation, the domain mvps.org was created in the very early 00's to serve as a hub for some members of the Microsoft MVPs program. There's probably a reason why his subdomain has the year 2002 in it, after all; as well as why he use webpage stickers dedicated to Kim Komando and the XP-era Microsoft MVPs logo.

Many years later, WordMVP alleges that mvps.org shut down in January 2017, and that everyone who used to be there moved away from it except the MVPS HOSTS guy. Thus he is now left on a domain that has no technical support whatsoever, that he doesn't own, whose current domain owner doesn't give a darn about anything, and which he seemingly can't do any serious technical changes on whatsoever.

Jspenguin also (as far I understand him) expresses worries about whether the list's licence, https://creativecommons.org/licenses/by-nc-sa/4.0/, is a sufficiently open-source licence for it to really count as being open-source.

I would previously have requested changing the list's sync-link to https://raw.githubusercontent.com/StevenBlack/hosts/master/data/mvps.org/hosts, but as that mirror is not updated instantly, but usually on a delay of several days, I think that just removing the list entirely would've been preferable.

[gorhill]

He removed the list a few hours after this was posted.

I decline, removing the list exactly at that time is quite curious and downright insensitive -- the list is and has been useful for countless people, and the author stated he would still keep maintaining the list despite his unfortunate health issues.

Whoever is bothered by non-HTTPS connection is free to not use the list, it's opt-in.

[uBlock-user]

Why not request the author to get a HTTPS cert from Lets Encrypt instead ? It's free for starters.

[DandelionSprout]

To Gorhill: Good points for the time being. I was completely unaware of the Reddit thread or of Burgess' recent problems. ———————————————— To uBlock-user: I strongly suspect that it's outside of his control to get a Let's Encrypt certificate for winhelp2002.mvps.org, as he does not seem to control the domain rights or the mvps.org backend. Nevertheless I'll be attempting to suggest such a thing to him now in an E-mail.

[jspenguin2017]

removing the list exactly at that time is quite curious and downright insensitive and the author stated he would still keep maintaining the list despite his unfortunate health issues

How did you conclude that I have seen that post? I wanted to remove that filter list for a long time, and decided to do it last weekend after being reminded by NanoMeow's log. Considering that I already have enough things to do, if I want to police which filter have not been updated for a while, malware-0 will be the first on the chopping block as it is costing me $3.5 a month to run the legacy server which updates its mirror.

As you probably know, after this incident, I have created a response protocol in order to properly respond to future incidents -- I still disagree with the way you handled that incident as removing the filter from assets.json does not unsubscribe it and the censorship rules will remain in place for an extended period of time.

Being privacy and security conscious, you should have known better about the implications of unencrypted traffic. In order to ensure the integrity of my assets mirror, I cannot let NanoMeow to download filter lists over an insecure protocol. I have voiced my concerns 10 months ago and 5 months ago about issues related to filters served over HTTP. There is no excuse to not use HTTPS in 2019 (actually, in any year after 2016) as Let's Encrypt offers free certificate to everyone. I understand that the author is having health problems recently, but that does not justify not installing a certificate before that as Let's Encrypt is available for years now. I probably will give the author some more time if I knew he was sick, but what's done is done, and he had more than enough time to secure his site before he fell sick -- especially if he claims himself as a MVP.

it's opt-in

That is still not an excuse for you to promote it. You have better knowledge about privacy and security than the average user, and you should not make it easier for people to shoot themselves in the foot.

[jspenguin2017]

Oh, also, spam404 now support HTTPS on their support URL. https://github.com/NanoAdblocker/NanoCore2/commit/89cddadfa737ebe959684cfaaa1df41abe3ba6f6

[DandelionSprout]

I'll take an "Either way is fine by me" neutral approach in this thread to avoid causing unintentional drama, although I am very supportive of HTTPS in general.

Having now asked Burgess about the situation, and whether he'd be willing to support HTTPS, here's the answer (Top is his reply, bottom is the question(s) I asked him):

So then we know now that he has no ambitions of implementing HTTPS, even upon the promise of me donating to him upon doing such.

[jspenguin2017]

I have no control over MVPS ...

With outdated software and unmaintained servers, it's just a matter of time when the server is hacked and taken over. This is about "when", not "if".

I have no intention of moving ... or taking the time to mirror ...

This is downright irresponsible. How could this person claim himself a "most valuable professional" when he unprofessionally ignores significant security issues of his hosting setup? With the time he spent to respond to the email above, he could've mirrored his website to GitHub Pages or something.

---

You know what, maybe I'm missing something. Or maybe @gorhill has some special or personal connections with this person that I'm not aware of. Either way, I don't want to be part of the problem -- I'll also donate $10 if the hosting issues can be resolved and the list is re-licensed under a recognized open source license.