It’s too dependant on encryption. Yes, it’s a cool technical feat that stuff can be in the open but also private - but:
1. I want to be able to follow my freinds if my phone dies and i have to get a new one.
2. I am very technical, and idk exactly what a X25519 keypair is.
I would like for people to come up with more stuff like this that is designed for small communities but not for very secure communication. Like I want something where it’s secured by a username and password, that i give to a server i am registered with - and that server handles the encryption business. If the server rotates keys, that’s for the admin to figure out and exchange keys with sibling servers.
Idk I’m just making up specifics but this is the kind of ethos i think is needed to make things that can be successful with non-technical people in a way that can unseat big tech.
In case i sound too critical - this is cool. It just isn’t something i can use with family and friends to replace facebook or even email.
If we are ever going to free ourselves of rent-seeking middle men, we simply have to make a cultural change where non-technical people do more for themselves. I don't even think it's about technical difficulty (most of the time). I think people just want someone else to take care of their shit.
The above includes us highly technical people on HN. We really can't expect (or lecture) the normal mainstream population to make a cultural change to adopt decentralized tech when most of us don't do it ourselves.
E.g. Most of us don't want to self-host our public git repo. Instead, we just use centralized Github. We have the technical knowledge to self-host git but we have valid reasons for not wanting to do it and willingly outsource it to Github. (Notice this thread's Show HN about decentralized social networking has hosted its public repo on centralized Github.)
And consider we're not on decentralized USENET nodes discussing this. Instead, we're here on centralized HN. It's more convenient. Same reason technical folks shut down their self-hosted PHP forum software and migrate to centralised Discord.
The reason can't be reduced to just "people being lazy". It's about tradeoffs. This is why it's incorrect to think that futuristic scenarios of a hypothetical easy-to-use "internet appliance" (possibly provided by ISP) to self-host email/git/USENET/videos/etc and a worldwide rollout out IPv6 to avoid NAT will remove barriers to decentralization.
The popular essay "Protocols Not Platforms" about the benefits of decentralization often gets reposted here but that doesn't help because "free protocols" don't really solve the underlying reasons centralization keeps happening: money, time, and motivation to follow the decentralized ethos.
"But you become a prisoner of centralized services!" -- True, but a self-hosted tech stack for some folks can also be a prison too. It's just a different type. To get "freedom" and escape the self-hosted hassles, they flee to centralized services!
"Making a cultural change" is not something you or any group of people can do. The superstructure of the game decides those, not the players. You can try, but nobody will play your new game.
Eg your bank genuinely helps with finance and transfers compared to transacting directly on a blockchain or snail mailing cash around.
> I think people just want someone else to take care of their shit.
Yes, division of labour!
Purely on a philosophical point of view and depending on where you live, they do nothing but increase the costs without adding value.
For example, realtors made sense back in the day when there was no internet. But, what value does a real estate agent add in 2026? An owner can list their apartment/house directly online. The buyer and search, find and contact the owner directly, a lot of times even for free (FB Marketplace, WhatsApp groups, etc.).
The most common argument is - "when things go wrong, the agent will take on the liability for the listing", but that is rarely the case in real life (again, may vary greatly depending on where you live). In most of Asia, this is not the case at all. They take their nice fat commission and wash their hands off later, not even picking up your calls most of the time when there is an issue.
So what do agents do now? They hoard information instead. They advertise good listings, but to talk to the owner you will need to engage (and pay them) first.
Real estate agents are just one. Car dealerships rank right on the second in my list.
We don't need more agents. We need democratized access to information.
Is anyone forcing you realtors where you live?
FB Marketplace is just another middle man. (And that supports my thesis from another follow up comment: you want lots of competing middle man!)
Btw, real estate agents in eg the UK take about half the cut in a typical home sale compared to the US.
> Car dealerships rank right on the second in my list.
Yes, and as far as I know they are only a problem in the US, and that's because the US has crazy regulations that pretty much mandate car dealerships. In eg Germany you can buy your car direct from Volkswagen.
How will anyone find the house? If I use an online estate agent, then that's still a middle man. If I publish adverts on Facebook or Google, that's a middle man. If I'm hoping that I can generate enough SEO for my house to appear at the top of searches, that's also relying upon a middle man - the search engine. I guess I could just put a board outside the house with a URL on it and hope someone stops to take a photo.
Estate agents provide that marketing service as well as others around arranging viewings and interaction with solicitors, although that might be UK specific. But they do provide a service that would take a crazy amount of time for you to replicate by yourself for a one-off house sale.
On the other hand, I do care about people that are knowledgeable of these details, specialized, and trust to handle them for me for a fee.
That’s true of banking, realting, health, security, building, manufacturing of everything I use (or almost). That doesn’t prevent me from vaguely understanding the principles and some bits. And that saved me a ton of time and worry. But for the few times one agent does not work up to his promises.
I am 49, I have dealt enough with try to do all by myself, and I do appreciate and rely onto middlemen way earlier now.
Generally, I see no problem with competent middle men. They offer a service like any other service. If you want the service, you buy it, and if you don't want it you don't.
By that time, no one can do without the nasty middle man as we have forgotten or never learned the skills to fend for ourselves and are thus beholden to the nasty middle man.
Network effect compounds this
Remember: Facebook is for grandparents, not where the cool kids hang out.
Yeah, it's a real cool club and you're not part of it.
Yeah...
2. You don't need to know unless you want to implement the protocol! To use (the very barebones) implementation all you need to do is fork the repo & give access, which I admit can be too much for family/friends so you might have to set it up for them (and I bet they'd be stoked to have a website of their own!)
Having seen enough story in the vein of "if only I still have my bitcoin wallet from 2014" and "our storage server failed and when we tried to restore from backup we found out our last working backup was from two years ago," I have to say I have a rather dim view of how competent people actually are when it comes to keeping backups working.
I am not saying cryptography isn't useful for safeguarding your data, I just think for perhaps 90% of the users out here the risk of being locked out of your data permanently is more realistic than your data being accessed by a bad actor.
> which I admit can be too much for family/friends so you might have to set it up for them (and I bet they'd be stoked to have a website of their own!)
From reading the website, I was under the impression this is a techie oriented project still looking for technically inclined early adopters instead of something you can readily tell grandma to hop on. I sincerely doubt the average friend and family member who needs other's help to set up a personal website knows what the protocol does or why should he or she use it instead of Instagram or Facebook, or Signal, if the point is just to keep in touch with people you already know.
My call to any devs reading this: get an interface designer, put in the usability effort before adding new features.
I wonder if there's a decent way to encode these private keys in QRCodes? You can jam about 4kB in a high density one from memory? (I know that'd be possible from a developer/technical point of view, but if this were my project I'd want a talented UX designer to have complete authority over how this is presented and explained to users.)
One other idea - maybe implement a Shamir's Secret Sharing mechanism where your private keys get sharded and encrypted to a sufficient number of selected friends, so of you lose your s@ private key it can be re assembled by convincing - say - 8 out of 12 selected friends to give you their part?
Or alternatively - automate a "recovery mechanism" where you set up a new key pair and publish it on a temporary domain/site, and can then ask a friend/follower who can authenticate your identity out-of-band - to export all you posts decryptable with your new key, then put you new key and all your old posts back into your main site.
On the original concept is restricted to share outside the participating people but could be relevant that people add more people that are interested in a topic.
Email is a good transport layer. Nowadays people just imagine it as messages between large providers, but I'm in strong favour that small providers or self-hosting email can still be used.
Isn't that basically Mastodon?
I've never understood selfhosters fascination with cloudflare. They have some cool products but I have a feel 2026/27 is the time they start to show their evolving colours
Who's gonna sniff your traffic from home? NSA, your ISP?
They already do.
Same as in corporate networks: your data is MITM anyway.
Fun should be unencrypted. It's not shopping or ssh into server.
Five years ago I would totally agree. Now, when you do not want to share your fun thoughts with a border guard; a police person; an AI scavenger; a random jerk -- I would say, having a safe-ish space becomes almost a necessity
Woah.. when will those people learn? _Any_ browser storage is unreliable. Anything goes wrong with your web experience? Clear browser settings. Make new profile. Re-install browser. The browser's localStorage is not a replacement for filesystem. It cannot be backed up, it is super volatile, and it should _never_ be used for anything important. It's one of those "worst of both world" cases, where malware can access it with no problem, while legitimate backup programs are locked out.
(And yes, the post mentions "new device" flow, but how many people would (1) remember to export their private key and (2) won't lose it with their device? I bet in practice people will use the network until the first time localStorage is lost, and then they will get annoyed that their feeds are lost forever, and will likely leave the network for good)
Anyway, I really like this idea, it's cool. When I think about this one though, I feel there's too much friction in the follow/unfollow process. Having unfollowing requiring reenecrypting and rebuilding the entire website for everyone seems cumbersome. It's not a killer in itself, but combined with this:
> If the original post is inaccessible (e.g. the viewer doesn’t follow the author), the reply is hidden entirely. A user only sees replies from people they follow — this is the spam prevention mechanism.
I think this is going to prevent it from scaling in any desirable way. I know it's not intended to scale, and is targetted at smaller freinds networks, not influencers, but again, even small friendship networks grow complex, and I can see the experience on S@t turning into the worst parts of activitypub where you can only read half of the interesting replies because not being friends, and it being a pain to then become mutual friends.
But, I really, really do like that s@t feels like a combination of RSS, activity pub and static sites, having a browser heavy client is interesting to.
It does feel a bit like s@t wants stuff to be easily locked down between a dynamic list of friends though, and it feels a bit weird to have the foundational tech of such a protocol be static sites, which by definition make it hard to lock stuff down to a dynamic list of friends. Hmmmm, I really do love/hate static site architecture
This is nice though, thanks for sharing.
Would a `/.well-known/` be helpful here?
Personally, I think a possible angle of attack for a new practical social network protocol is data management, as the amount of data people generate, consume, store, and share is enormous these days. More like, manage data conveniently, and share them easily as a side-effect.
As someone who tried to give all of the decentralized social networks a shot... something I realised along the way is that they are never going to fly because they are not giving you dopamine kicks like the big tech giants are. I ended up forgetting to visit Lemmy or Pixelfed or <whatever> because I had 2-3 times when I opened up the app and saw the exact same content, giving me a feeling of "nothing is happening here" and thus, I didn't need to check in.
I mean, even Signal has that Instagram story function but I have never seen a contact use it because no one goes to Signal "just to scroll" or whatever. They go there to send or read a message.
Any social media needs content for people to visit. They need to make people feel like they are missing out if they are not visiting. Otherwise, they're just going to end up as an app on the phone which is never opened.
(The IndieWeb wiki is probably the best resource for exploring the personal website-based social networking tech nowadays. I recommend the author check it out and maybe iterate on that instead :)
We need something like Discord, except each server is an actual self-hosted server like a Minecraft server. DMs between two users should be handled by a mutual server. Account credentials should be handled by a Nostr-like protocol, which also gives you global tweeting capabilities as a bonus.
Run the whole thing on Yggdrasil Network or something similar so that it's not tied down to IPv4v6 and DNS and all existing hardware infra, but can still take advantage of them. And add reciprocal inter-server onion routing to make it difficult to geolocate servers. Also take a page from SoftEther VPN's book and wrap all traffic in HTTPS and perform automatic NAT traversal, so that people can host servers from behind ISP firewalls.
Anything short of that and we lose to big tech and govs in the long run. But once we've achieved the above, the decentralized web can truly take off: we will get WiFi routers running open-source firmware to make a mesh network to act as alternative physical layer infra for the new web. We can still take advantage of the existing Internet's bandwidth as long as there's an unblockable path to send a little bit of data to discover and coordinate nodes.
This is not a software issue, it doesn't matter how good the tech is, the masses will always aggregate to big tech networks because decentralized networks will never have billion dollar marketing budgets.
Non big tech solutions need solid UI and UX that does not assume your average user can balance a binary tree, know what is a private key and how to safely back it up (other comments brought up this exact issue) or even knows what a "static website" means. Non big tech solutions need to give non technical users (read: the overwhelming majority of humanity) a good onboarding experience that does not involve learning ten new jargons and acronyms. Non big tech solutions need to know they have a limited strangeness budget [1] and should only spend it on places it matters. Non big tech solutions need to start actually cater to the unwashed masses before being befuddled by them choosing to stay on mark zuckerberg's platforms instead.
[1] https://steveklabnik.com/writing/the-language-strangeness-bu...
Then maybe you're not the target audience, or you're just not noticing the ads, because TikTok is particularly notable for their aggressive marketing efforts during their growth phase.
> Non big tech solutions need solid UI and UX that does not assume your average user can balance a binary tree
Non big tech platforms don't need anything. They can never compete with billion dollar budgets and they shouldn't set that as a goal. Everyone enjoys a well designed UX, but billion dollar marketing budgets will always eclipse the alternatives.
For the first years of its existence I only new tiktok because they were advertising everywhere.
Each device (cellphone/laptop) is a server. They connect to preferred server stations that are used for discovering other peers. There are things like common chat rooms on the station servers but personal messages are completely p2p using webrtc.
There are other apps there, for example to host own websites or blogs and other things you'd expect from modern usage. Mesh is done today using cheap ESP32 devices (3 euros each).
It is a work in progress, the main point is that it can exchange data even outside the internet and use radio connections.
You have named networks that are federated together, and people can publish to the networks they are invited to or sign up for. The networks survive even with individual servers go down. Data is cached all over at the edges.
Your version is just way too susceptible to rot, unless you see that as a feature. I see it as most of the good content falling into the ether sooner rather than later.
Also can use people viewing the pages as hosts https://gabe.durazo.us/tech/ephemeral-p2p-project/
Minecraft servers are a poor metaphor for what ideal decentralized social media should look like. They are the opposite of robust.
As far as archiving is concerned, many archiving orgs will pop up if their discussion servers and public facing websites can't be traced or easily shutdown. The protocol itself can't archive things, but it protects the people doing the archiving work and gives a place for websites like Annas Archive to live without relying on IP and DNS. The idea is to amass enough uncensorable social power so that such efforts can't be banned or shutdown, then you can use existing protocols like BitTorrent all you want.
> sAT Protocol (s@) is a decentralized social networking protocol based on static sites. Each user owns a static website storing all their data in encrypted JSON stores.
Cryptographically, a problem is that it makes ciphertexts publicly enumerable, protected by a X25519-derived key. This makes it very vulnerable to harvest-now-decrypt-later attacks, if you believe quantum computing will ever happen.
... and you don't believe that everything will be totally fucked when it does happen.
If there is a global passive observer, and they get quantum computing, a huge amount of supposedly encrypted private information just got popped. Whether or not I care about my dinky little private social network posts when every ssl/tls connection I've ever made is being cracked and data mined is an interesting question.
It's basically PGP + RSS, only mapped to a bunch of files of specific structure. Those could be RSS/ATOM feeds instead of JSON, to reuse an existing format. The reuse of the ideas is good, these ideas are time-proven.
As any PGP-lookalike, this thing has the key distribution problem, and won't scale to billions of users due to that. Key rotation and revocation is another problem. But for a small-scale network it should be fine, and can run on very tiny, very low-power devices, maybe even with intermittent connectivity.
Not true, the "content key" is common to all viewers of all posts, from a particular author. (hence the need to re-encrypt the world when you unfollow someone...)
I see.
I see...
_ /
. .I think it needs to not have a dependence on github. This is a microsoft thing, and at best it means this will become another way for a corporation to make money from people.
Speaking of money, it needs to be paid for. (The github part is free from Microsloth and so is NOT free). So how do you pay for this? Micropayments.
So we need a system of micropayments. Then we need it to provide a way to help people economically. These are not barriers, because this is hacker news, instead this is an accurate understanding of more of the problem.
People keep talking about a collaborative internet without using the term. But to be clear we are talking about a fundamentally different kind of internet. That we can build.
Also I think you're confusing "free as in beer" and "free as in free" here. The last thing any alternative social network needs is to bake capitalist incentives into the model, as that would just lead to everything optimizing for the same dark patterns and influencer garbage people want to avoid. There already exist plenty of ways to help people economically.
I'd imagine that similarly to TWTXT, this suffers from the same accessibility and barrier of entry issues. It's one thing when all you have to do is type text in a textbox and click "Submit", but it's a whole thing entirely when you have to screw around with updating your website to do anything.
Forking, paths, JSON, decentralized, encryption, key rotation, etc and I still have no idea why I would bother and who else could use it (a decentralized social network is only so much fun if you are the only one on it).
Right now, those circles of friends are _reasonable_ well served with some combination of Mastodon (effectively zero security but with decent findability) and Signal (much more limited mostly to only people you'd be OK with having your phone number).
I will definitely take this for a spin, and start having discussions with particular groups of friends to see it I get any traction.
https://satellite.earth/ (Satellite nostr client)
https://nsite.run/ (literally static sites on nostr)
Question about this:
“Threads are positioned in the timeline by the original post’s created_at; replies within a thread are sorted by their own created_at ascending.”
Does this mean, I, as the person replying to the post can manipulate my reply time to say, 3 minutes before person X’s reply?
If so, I can imagine a few adversarial ways of (ab)using this.
I understand this is more for friend groups, just curious if my understanding is correct.
edit: I guess an easy fix is to append a cryptographic hash to the post ID, but yeah currently I'm assuming you trust your friends.
Why not use git for social networking ;)
is perfect forward secrecy no longer considered valuable?
PFS in an open, freely-associable environment is far more complicated when you move beyond even the smallest of group sizes. Realistically, once the group size is beyond Dunbar's number you can reasonably assume that PFS is moot, because you no longer can depend on maybe four or five people's personal security, but 150+. Statistically, someone's opsec failure will be guaranteed.
Let's crash the fediverse! https://wire.wise-relations.com/
This is a very common problem. There is potential to possibly make this more decentralized with smart card technology. Like imagine a smart phone with access to pub keys in the hardware tied to an account cryptographically. Then you can say something like phone number = subscriber = pub key. Encrypted messaging apps seem to bootstrap off of ownership for numbers in the mobile system (mobile system security is very bad so there are dragons here.) The other apps like pidgin with OTR plugins they have unique phrases that help with the issue.
When you start looking at decentralized pub key infrastructure tied to human-meaningful names you start to run into zookos triangle:
https://en.wikipedia.org/wiki/Zooko%27s_triangle
human-meaningful, decentralized, secure -- pick two
This is not true of indieweb's web mention: https://indieweb.org/Webmention
It just uses HTTP POST (like pingback/trackback/etc, except it has a second step verifying the page sending the webmention actually has a link to a URL on the website). You can them them with a browser or cURL or some complex backend script. Receiving them is as easy as logging POSTs to a specific URL endpoint or even using someone else's community backend your site interfaces with via javascript (ie, https://webmention.io/ - not static since it uses JS). Or anything in between.
Totally decentralized and very simple. I implemented a simple nginx POST logging format in the config to receive on my static site. And HTML forms on my static site can send. http://superkuh.com/blog/2019-12-11-3.html
...which doesn’t do signing, but does do E2E encryption? So it’s more like DMs-over-HTTPS.
Maybe this would be better with a LiveJournal style interface. Medium length posts with threaded comments/replies are an underrated format.