Linter config update

It'll cause confusion with <h4>, and an upcoming post will have a lot of
those.

assets/css/main.css

@@ -480,12 +480,7 @@ h1 {
 
 /* <kbd> should be distinguished from <code> and surrounding text
  * in a way beyond font-face; at least two visual distinctions needed
- * Also, Small text is easier to read when slightly bolder.
- * This is important in the dark theme where I set my own colors and
- * try to maintain good perceptual contrast even for small text, but
- * I don't want toggling the theme to impact anything besides color so
  * I set the weight here. */
-dt,
 kbd {
 	font-weight: bold;
 }

content/_index.gmi

@@ -44,6 +44,8 @@ Chat with me: I prefer IRC, where my nick is Seirdy on Libera.chat, Snoonet, OFT
 
 My secondary Matrix account for Synapse-only rooms is @seirdy:fairydust.space.
 
+If you send me marketing emails or solicit guest posts, I will block you and submit you to third-party blocklists without warning.
+
 ## Links
 
 Orbits (Gemini equivalent of webrings):

content/_index.md

@@ -32,7 +32,7 @@ Git repos: [Sourcehut](https://sr.ht/~seirdy "{rel='me'}"), [GitHub](https://git
 
 ### Contact
 
-Contact me via [email](mailto:seirdy@seirdy.one "{class='u-email' itemprop='email' rel='me'}") ([PGP](./publickey.asc "{rel='pgpkey authn' type='application/pgp-keys' class='u-key'}")), or on the Fediverse where I'm [@Seirdy<wbr />@pleroma<wbr />.envs.net](https://pleroma.envs.net/seirdy "{rel='me' itemprop='sameAs' class='u-url'}").
+Contact me via [email](mailto:seirdy@seirdy.one "{class='u-email' itemprop='email' rel='me'}") ([PGP](./publickey.asc "{rel='pgpkey authn' type='application/pgp-keys' class='u-key'}")), or on the Fediverse where I'm [@Seirdy<wbr />@pleroma<wbr />.envs.net](https://pleroma.envs.net/seirdy "{rel='me' itemprop='sameAs' class='u-url'}"). If you send me marketing emails or solicit guest posts, I will block you and submit you to third-party blocklists without warning.
 
 Chat with me: I'm on several IRC networks. Alternatively, I'm [@seirdy<wbr />:seirdy.one](matrix:u/seirdy:seirdy.one "{class='u-impp u-url' rel='me'}") on Matrix.
 
@@ -46,3 +46,4 @@ This is a basic [IndieWeb site](https://indieweb.org/).
 In addition to its [canonical url](https://seirdy.one), a "rough draft" of this website also exists on my [Tildeverse page](https://envs.net/~seirdy/). This site's content also appears on my [Gemini capsule](gemini://seirdy.one).
 
 For more information about the site, its design, and available feeds: [see the "meta" section](./meta/).
+

content/about/_index.gmi

@@ -53,6 +53,8 @@ My handle is "Seirdy" on all the platforms I use:
 => mailto:seirdy@seirdy.one email
 => ../publickey.asc PGP: 1E892DB2A5F84479
 
+If you send me marketing emails or solicit guest posts, I will block you and submit you to third-party blocklists without warning.
+
 My username is Seirdy on Reddit, Hacker News, Lobsters, Tildes.net, Linux Weekly News, Codeberg, and a few other places. For IRC, my nick is Seirdy on Libera.chat, Snoonet, OFTC, Tilde.Chat, apionet, and a few smaller networks.
 
 My secondary Matrix account for Synapse-only rooms is @seirdy:fairydust.space. My Matrix account used to be @seirdy:envs.net but I've since migrated to my own Conduit server.

content/about/_index.md

@@ -95,6 +95,8 @@ I go by <span class="p-nickname nickname" itemprop="alternateName">Seirdy</span>
 
 </dl>
 
+If you send me marketing emails or solicit guest posts, I will block you and submit you to third-party blocklists without warning.
+
 At least two platforms listed in the "Social (centralized)" category are not endorsed, and I'm trying to wind down my use of them. If you find a "Seirdy" somewhere else and don't know whether or not it's me, please contact me and ask instead of assuming that it must be me.
 
 I used to have the Matrix ID `@seirdy:envs.net`. I sometimes use `@seirdy:fairydust.space` for technical reasons (seirdy.one runs a Conduit server but certain features only work in Synapse rooms).
@@ -108,6 +110,7 @@ If you want to follow me on the Fediverse, [read my Fediverse greeting first]({{
 Selected projects
 -----------------
 
+
 [Clogstats](https://sr.ht/~seirdy/clogstats/)
 : Analyze WeeChat logs to quantify, graph, forecast, and perform anomaly-detection on IRC channel activity. Written in Python; uses Pandas.
 

content/meta/_index.md

@@ -52,11 +52,11 @@ This site is featured in some cool directories.
 - [Nixers](https://github.com/nixers-projects/sites/wiki/List-of-nixers.net-user-sites)
 - [Smooth Sailing](https://smoothsailing.asclaria.org/)
 - [Ye Olde Blogroll](https://blogroll.org/)
+- [Nerd Listings](http://nerdlistings.info/category/personalsites/)
 
 <details>
 <summary>Pending directories</summary>
 
-- [Nerd Listings](https://nerdlistings.info/category/personalsites/) (pending; expired TLS certificate)
 - [LinkLane](https://www.linklane.net/) (pending)
 - [Blog Surf](https://blogsurf.io/) (pending)
 

content/notes/self-signed-cert-problems.md

@@ -0,0 +1,29 @@
+---
+title: "Self signed certificate problems"
+date: 2022-10-17T11:41:38-07:00
+replyURI: "https://snowdin.town/notice/AOevybwoSx4xW4lX3w"
+replyTitle: "self-signatures should have been treated as something normal"
+replyType: "SocialMediaPosting"
+replyAuthor: "Luna Saphira Dragofelis"
+replyAuthorURI: "https://snowdin.town/users/LunaDragofelis"
+---
+> in my opinion, self-signatures should have been treated as something normal, with a warning only triggered if the site has been visited before and the signing key has changed
+
+Two problems with self-signed Trust On First Use (<abbr>TOFU</abbr>):
+
+1. Long-lived secrets without a revocation mechanism. Current approaches---[<abbr>OCSP</abbr>](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) and [client-side <abbr>CRL</abbr> checking](https://letsencrypt.org/2022/09/07/new-life-for-crls.html)---all use the certificate authority (<abbr>CA</abbr>) system.
+
+2. Zero defense against TLS stripping attacks during the initial connection. You need to know the connection is authentic without taking the response at its word.
+
+You could implement revocation with your own server, but stripping attacks make it absolutely trivial for an intermediary to compromise a connection. Your initial connection is as authentic as an HTTP site, and all subsequent connections are only as secure as your initial connection. Hostile networks are increasingly the norm, so this isn't a solid foundation.
+
+A key-pinning system only works when backed by a separate source of trust. Examples include a <abbr>CA</abbr> or <abbr title="Domain Name System Security Extensions">DNSSEC</abbr> trust anchor (for <abbr title="DNS-based Authentication of Named Entities">DANE</abbr>).
+
+Unfortunately, HTTP Public Key Pinning never took off since admin errors could irrevocably nuke a site, and browser devs don't want <abbr>DANE</abbr> without pinning.
+
+> banks and other sites needing higher-than-usual trust would still use authority-signed certificates
+
+I disagree that good security should be limited to "big important players" rather than being the default behavior. "Normal" sites often feature popular interception targets such as donation links, contact methods, log-ins, etc.
+
+If we're going to get rid of the <abbr>CA</abbr> system, we should replace it first. Tor and Yggdrasil seem like interesting alternatives, though lacking domain names.
+

linter-configs/htmltest.yml

@@ -55,4 +55,5 @@ IgnoreURLs:
   - "https://webring.yesterweb.org/noJS/index.php" # Seems to block htmltest; check manually
   - "https://gitweb.torproject.org/tor-browser.git/tree/browser/components/securitylevel/SecurityLevel.jsm.id=ffdf" # Seems to block htmltest; check manually
   - "https://lnk.dk" # blocks htmltest
+  - "https://www.fastcompany.com/90759792/with-google-dominating-search-the-internet-needs-crawl-neutrality" # blocks htmltest
 OutputDir: "linter-configs/htmltest"