[HN Gopher] Show HN: Haven - Run a private website to share with... ___________________________________________________________________ Show HN: Haven - Run a private website to share with only the people you choose Author : mawise Score : 421 points Date : 2021-02-03 14:13 UTC (8 hours ago) (HTM) web link (havenweb.org) (TXT) w3m dump (havenweb.org) | turtlebits wrote: | Not to downplay what you've built, but what differentiates this | from using basic auth + HTTPS on a static site host? | mawise wrote: | I actually tried building it that way first. I made a tiny | static site generator and had Apache enforce basic auth. | Creating new users required ssh-ing to the server and modifying | the account list. I didn't see that as an approach that would | be accessible to less-technical people. | turtlebits wrote: | I know Netlify supports basic auth via a config file when you | publish. Unsure of other hosts. | macca321 wrote: | The thing people like about Facebook is looking at other peoples | photos, safe in the knowledge that they don't know you are | looking at their photos. | andrewzah wrote: | ...there is no facebook replacement. You can't replicate social | groups via software. Facebook is not anything special other than | most people use it, so the network effects are immense. | | You could have the greatest software in the world and it would | not be able to replicate fb's markets and groups functionality. | Craigslist is the only one that comes close for replicating fb | marketplace. | | If you want a small private blog, just host a single user | mastodon or pleroma instance. That way you're part of the | fediverse but maintain control of your own personal instance. | wintermutestwin wrote: | >Craigslist is the only one that comes close for replicating fb | marketplace. | | FB marketplace is an incredibly weak attempt to replicate | craigslist and its only advantage is that FB polices its | userbase so you are a bit more likely to know who you are | dealing with. Nextdoor polices the userbase more. | andrewzah wrote: | "and its only advantage is that FB polices its userbase" | | I find the biggest advantage is the network effect. In my | experience I have found a lot of things through marketplace | and fb groups, in addition to craiglist. | fiores wrote: | > ...there is no facebook replacement | | Facebook itself probably doesn't believe this. | andrewzah wrote: | Other platforms have different communities and users. There | is absolutely no facebook replacement at this time. Whether | or not it'll continue to be used in 10 years is another | question. To clarify, I use neither facebook* or twitter. | | My point here is that you cannot solve a human and social | problem from a technical standpoint. It doesn't matter how | good your product is if no one uses it. Mastodon will never | be a facebook replacement, etc. | | * Aside from marketplace and local buy/sell groups. | teeray wrote: | I think beyond Family and Friends, there's another use-case here | that you may not have thought of. I can't think of the number of | times that I've encountered various HOAs and other small orgs | that want some online presence, but also want strict access | control. Like, they want a directory of everyone's name, email, | and phone, and a place to post some updates like "trash is | delayed because of the holidays this week," "reminder: annual | meeting on the 5th," "minutes from the last meeting available | here." | ttul wrote: | And the commercial SaaS that's available for this userbase is | horrendous... | Terretta wrote: | Do you mean Squarespace? | | https://www.squarespace.com/ecommerce/membership-sites | | What about OOS, like BuddyPress? | | https://buddypress.org/ | bufferoverflow wrote: | Doesn't every open source blog software allow you to self-host? | How is your solution superior to the battle-tested Wordpress or | dozens of other options? | 2pEXgD0fZ5cF wrote: | From the webpage: | | _Haven is about sharing privately with friends and family. | There is no option to make your blog public to the world. You | get to create an account for anyone you want to have access. | When they connect to your site, they use https encryption | between their web browser and your server. That means nobody | can intercept and read your posts. Since you create accounts | for people, there is no place for spammers or internet bots try | creating accounts. | | If you want a public blog to build a base of followers, or | promote a product, or try to profit from your blog--this isn't | the right service for you. I suggest you use Wordpress | instead._ | eternalny1 wrote: | I fail to see how this is different than a Wordpress private | blog. | | > Private. Select this option to make your site private. If | you want specific people to be able to view it (and add | comments, if you've enabled them), you'll need to invite them | to be a viewer. | qznc wrote: | I have no experience with that private mode. The creator | says, he tried WordPress though: | | > I tried using WordPress but it took too many custom | plugins and configurations and I still got bombarded by | spam signup requests. | Natfan wrote: | Based on what eternalny1 said, private mode doesn't | require "many custom plugins and configurations" as it's | baked right into the product. | | One could reduce that amount of spam signup requests that | one gets by simplying adding a captca such as | recaptcha[0] or hcaptcha[1] | | [0]: https://www.google.com/recaptcha | | [1]: https://www.hcaptcha.com | hartleybrody wrote: | What a perfectly obtuse, technical solution. Is grandma | going to solve a captcha in order to sign up on a | wordpress blog to view photos of her grandchildren? | | Dropbox is "just" a private s3 bucket with s3cmd on a | cronjob -- or a million other technical solutions -- but | they're a successful business because they nailed the | user experience for average joes. | | The point of OP's product is that you don't have to | cobble together a bunch of hacks to replicate the desired | user experience, it's supported out of the box. | dataexporter wrote: | Wordpress lets admins create accounts and set passwords | for the users as well. One can quite easily disable | public signups (to prevent spam) and manually create an | account for one's grandma. | | For public signups it is a perfectly valid solution to | use captcha! | x86_64Ubuntu wrote: | So how do people connect? The good thing about your social | media networks such as FB, LinkedIn, IG is that I can meet | someone in real life, and then connect digitally. Or I can | connect to the people who are important to the people who are | important to me (friending my cousin's fiance). Does this | provide a similar solution? | [deleted] | mawise wrote: | Hey HN, | | I'm the author, Haven has been my side project for a little | while. The core idea is that we should be able to make it easy | for anyone to host their own private webpage as an alternative to | centralized social media. | | A lot of the decentralized community seems to have chosen | federated models as the solution to "self-hosting is hard". I'm | trying something different. With core web technologies as the | foundation, my mom or my wife's grandmother can visit my site | with any web browser and I'm still able to exclude the rest of | the world. For technical people, self-hosting is made easy with a | one-line AWS deployment script, and an install script for the | Raspberry Pi Zero W. I'd like less-technical people to be able to | use this too so I'm exploring providing paid hosting as a | service. | | I think of Haven as a Facebook-alternative, but probably not a | Twitter alternative. I see Facebook as selling itself more as | "stay in touch with your friends and family" where Twitter is | more about "see what interesting people are saying". The latter | has discovery as a core component. With Haven everything is | private so discovery wouldn't make any sense. | | There's nothing new here in terms of technology--server-side | rendered web pages using Ruby on Rails, no javascript frameworks, | RSS using HTTP basic auth. But also no analytics libraries or ad- | tracking. Pages are lightweight and load really fast. I've even | provided a limited ability to add custom CSS so you can really | make your page your own. | | I would love any feedback you want to share. Both from a | technical or installation side, feedback on the public webpage, | as well as thoughts on communities that might be interested to | learn about Haven. | | Thank you! | [deleted] | mnd999 wrote: | I had exactly the same idea, and I've implemented it for myself | but haven't productised it as yet, and I'm not sure I will. | Love the self hosting part, and it's not that hard but the | security part I found problematic. | | I used Oauth for signup, which made it easy to share links to | galleries via e.g. Facebook and then click through using | Facebook login. I also went for a more open model where anyone | could log in but I could block people later on if I didn't want | to share. Depending on how sensitive a particular piece of | content is, both models would probably better. It seems | important to minimise friction as much as possible or people | just move on. Come back later when I've approved you is not a | good model, I found people simply lost interest. | oneeyedpigeon wrote: | How do you handle RSS using HTTP basic auth? Do RSS feeders | have support for basic auth built in, or is that via embedding | the username and password in the url? | mawise wrote: | I embed username and password in the URL; each user gets | their own dedicated RSS Url. Support for this among feed | readers is admittedly spotty, for example Inoreader requires | you to be on a paid plan and Feedly doesn't support it. If | there's traction/interest I plan to build a lightweight feed | reader right into Haven. | llarsson wrote: | Could TinyRSS or whatever it's called help there? | wintermutestwin wrote: | My suggestion: add a "circles of trust" feature, where you | categorize your users into different levels like: acquaintance, | co-worker, friend, family, special friends. Each post would | have a simple bullseye icon to select how far in to the circle | of trust you must be to see the post. | doggosphere wrote: | Google Plus circles | Jtsummers wrote: | That was _the_ feature I loved about Google Plus, I used it | extensively when the service was growing. But no one else | went to it regularly enough. CS Friends, Video Game | Friends, RPG Friends, Soccer Buddies, Family, Immediate | Family, Colleagues (several for several different jobs). I | could easily post things across circles that would appeal | to that circle. Vacation photos go to family and some | friends, most don 't care (or need to see it). My nerdy | tabletop RPG posts went to those friends who cared about | it. CS/programming topics went to those friends who cared | about it. | SCNP wrote: | You just made me realize that this is implemented in | Discord but very poorly. I have difficulty deciding where | I should post a meme to get it to the people that will | like it. Maybe I'm just on too many Discord servers... | Jtsummers wrote: | Well, the other problem with Discord is that people have | to opt-in to the groupings. Circles were publisher | driven. If you were in my CS Friends circle, that was | just where I categorized you. It was not akin to a FB | group or a Discord server. In those, you have to accept | some kind of invitation into the grouping, and you're | made to communicate with everyone in the group/server. | Circles were one way, from me to the circle. For a circle | member to publish to all the same people they'd need to | be connected to all of them directly in G+ and create an | identical circle. | | This is the same issue as group messaging in most instant | message type systems (including SMS/MMS). It's forcing a | full connection between all participants, when really we | may only want a fan-out structure. | | I haven't used it much (not as many people on it in my | social circles) but WhatsApp's broadcast lists are like | G+ circles in this regard. | eitland wrote: | Well, the circles feature as implemented and documented by | Google managed to confuse even me and I thought I | understood it early on. | rakoo wrote: | XMPP roster groups | TedDoesntTalk wrote: | xmpp lol. Great protocol, terrible clients. | treeman79 wrote: | Google tried this. Google+ | | You setup your circles for various topics. | | Neat idea. Complete failure. | | I've set up social interactions for major companies. | Basically any restriction on who can see what will kill the | feature. | hmsimha wrote: | I don't believe Google+ let you self-host, or fully control | your data, which seems to be the primary value proposition | here. Google+ also wasn't open source, so for example, you | couldn't see that deleted posts were actually deleted on | the server (they likely weren't) | OkGoDoIt wrote: | Facebook also had it long before Google+, called friend | lists. The UI was not great but it was incredibly useful | and I'm super frustrated they have been phasing it out over | the years. There are some things I want my super liberal | theater friends in San Francisco to see, and some things | that are only appropriate for my conservative family and | friends from back home in Georgia to see. Some things are | appropriate for professional contacts and some things are | only appropriate for very close friends who understand my | sense of humor. Facebook used to handle all these scenarios | beautifully but not so much these days, and as a result I | only share things that I'm comfortable everyone seeing, | which is a very small percentage of what I might otherwise | share. | ufmace wrote: | It was only a failure at what Google wanted it for - | displacing Facebook as the dominant social media company. | IMO, they failed primarily due to network effects, as in | they can't bootstrap without some killer feature to get | people to switch over from Facebook. Circles probably | didn't help here, since the ultimate effect is to reduce | engagement, when they need to maximize it to have a chance | of displacing Facebook. | | Probably the big risk for this thing is that nobody wants | to keep track of separate websites for dozens of | individuals, most of whom only post something they can see | once a week at most. You need to aggregate all of those | updates from dozens of people you know into a single | website and build a feed, then you have something that | probably always has something the user might find | interesting, and all in one place, so they'll actually | check it regularly. | 3np wrote: | I do not think this is the reason Google+ failed miserably. | It's been rehashed enough that I won't list my top picks :) | samstave wrote: | For me, google+ added zero value to my life, thus I | dropped it post-haste | munificent wrote: | _> Basically any restriction on who can see what will kill | the feature._ | | I think that's likely true for social media apps where the | product is "free" in that users are the product and | advertisers are the customers that fund it. In that | business model, your number one goal is to maximize | eyeballs. | | But Haven doesn't have that business model at all, so it's | not clear to me that a way to control who sees what posts | would harm success. | | By analogy, farmers want to grow as many plants per acre as | they possibly can to maximize revenue. The idea of potting | their plants individually makes no sense. But if I just | want a plant on my windowsill and don't want dirt | everywhere, a pot is what I want. | treeman79 wrote: | Tangent. | | Any talk of tech people and farmers seems to always | change to pot. | frakkingcylons wrote: | Uhhh read that sentence again. I think you're projecting. | InitialLastName wrote: | They were just being self-fulfilling. | rrauenza wrote: | Facebook actually has this as well... But hardly anyone | uses it? | cutemonster wrote: | All the time with G+ but never with FB. At FB it's not | easy to find the feature, but was simple with G+ | gowld wrote: | Facebook has the same thing so that's not the deciding | factor. | 1234letshaveatw wrote: | It seems to work well enough in nextdoor interestingly- but | the circles are location based | gowld wrote: | You cant choose your circles in nextdoor | samstave wrote: | nextdoor pissed me off - when I moved, they sent out a | postcard to people I knew telling them of my new address | - and I didn't ask them or authorize them to inform | people of where I moved - as there were people whom I did | not want to know where I lived. | | That seriously pissed me off. | Judgmentality wrote: | IANAL but isn't that doxxing? That definitely sounds | illegal, and I would seriously consider consulting an | attorney. | teeray wrote: | I think there's some unspoken stress about building and | maintaining a taxonomy of your relationships. Whether someone | is an acquaintance or a friend or a good friend can be fairly | dynamic. Being constantly confronted with rearranging people | into different "circles" feels a bit like explicitly deciding | if people can sit at the cool kids table today or not. | Jtsummers wrote: | They can be like tagging. In what context do I know Jack? | | I met him through church and at work. Maybe we have some | other mutual interests. | | How do I know Joe? | | Coincidentally also through church and work, but we're both | programmers (Jack is an engineer with different technical | interests), we play soccer together, we enjoy seeing movies | in the theater, and we participate in team trivia at | restaurants and bars together. | | By tagging people (or placing them into circles in the G+ | sense), I can select which group to communicate something | to based on selecting a tag or set of tags. "Hey soccer | peeps, I'm going to take my ball and some cones down to the | field at Central Elementary this Saturday if you want to | come out and practice with me." directed @soccer_peeps. | | Maybe throw a few groups together that aren't fully | overlapping in general: @soccer_peeps @trivia_teamsters | "Party at my place this Saturday, here's a link to RSVP and | sign up to bring something." | | I'm not forced to put everyone into a _distinct_ category | or circle, but can use loose taggings effectively. | tyingq wrote: | I like the bullseye idea, but aren't circles often venn | diagrams? That is, you might not want work posts to go to | family, and vice-versa as well. Doesn't fit the bullseye idea | naturally. | wintermutestwin wrote: | Yeah - maybe there needs to be a "customize" option for | posts that don't fit into the bullseye. I think venn | diagrams would be too complex in the interface. | SamBam wrote: | It seems pretty straight-forward to me: | | Who can see this: x Family x | Friends 0 Co-workers 0 Quiddich team | (custom group) | | Why over-complicate it? | watmough wrote: | Tiny bug: Under Features > RSS, the bottom of the page still | mentions Simpleblog instead of Haven. | mawise wrote: | Thank you! | krmmalik wrote: | It would be nice to have some sort of viewership stats. You've | come at a brilliant time with a solution like this just as my | facebook following is growing but so is my fear that they could | delete my account anytime for any arbitrary reason. Twitter | just isn't conducive to longform content and not everyone is a | pro with threads so this is an idea solution, but seeing how | many people liked a post, commented on it etc helps with the | feedback loop. | | I realise you're doing this primarily for people to share | personal content, but there's plenty of people out there that | want to share personal thoughts to a large part of the world | but just don't want to get censored by FB and your solution | could work well for them. | dublinben wrote: | >share personal thoughts to a large part of the world | | Have you considered a blog, or even a newsletter? | krmmalik wrote: | Yes but I like that it's simple and self-hosted with the | privacy aspect. | freedomben wrote: | > _I realise you 're doing this primarily for people to share | personal content, but there's plenty of people out there that | want to share personal thoughts to a large part of the world | but just don't want to get censored by FB and your solution | could work well for them._ | | It's probably worth asking OP what their position on | censorship is before suggesting this. It's shocking to me, | but many in the tech community are very pro censorship | (though they will call it "moderation" since it's not | happening to them). | | Also if a customer of OP's got big enough and was | controversial enough, AWS could threaten their account if | they don't terminate that user's pages. So even if OP is a | free speech absolutist, it still may not be a solution to the | problem of big tech censorship. | montroser wrote: | Anyone can spin up a website for negligible cost and put in | place whatever legal content they so choose. If government | interferes with that, then you have a claim to censorship. | | Short of that though -- if a private company like Facebook | or Twitter declines to host your content, that is entirely | their right. It's not a public utility. | | Free speech means you can say whatever you like. It doesn't | mean you have a right to a platform and an audience. | nomdep wrote: | > Anyone can spin up a website for negligible cost and | put in place whatever legal content they so choose. | | And host it where exactly? | montroser wrote: | GitHub Pages, Firebase will do free static hosting, Wix | has a free plan, etc, etc | nomdep wrote: | Except those are also private conpanies that can and will | kick you out if what you say is inconvinient in any form. | | And so my question. | mawise wrote: | Censorship is a tough topic. As long as Haven is restricted | to private posting, then it should be able to operate with | 100% freedom of speech. When you send an email to your | friend, you get 100% freedom of speech. Private, access | restricted posting should be equivalent. | | If I were to explore public posting on Haven, then | censorship/moderation becomes an issue. Public posting is | outside of the focus I want to have and this would just | make it more complicated for Haven so I'm not planning to | explore anything that lets you "grow your audience"--I'm | focusing on private sharing with your existing community. | jrexilius wrote: | Thanks for putting this out there, I've been thinking about | building almost exactly this for myself and my friends. Happy | to pay you to host it for us and support development. Looking | forward to testing it! | detritus wrote: | Small typo on your hosting page | | > For these reasons we're offing to host a Haven for you | mawise wrote: | Thank you! | phkahler wrote: | Why AWS? I want to plug a pi into my cable modem and host it | there. | | On a related note, We need something like bit torrent for | video. Where the chunks would come approximately in order and | watchers effectively host a copy for the entire time they are | watching. So we can all self host arbitrary length videos to | all our friends on that same Rpi. | Djvacto wrote: | Not sure if maybe their comment was edited in the last | minute, but > For technical people, self- | hosting is made easy with a one-line AWS deployment script, | *and an install script for the Raspberry Pi Zero W.* | [deleted] | titanomachy wrote: | Unless you have pretty restricted bandwidth, or a huge number | of friends, you should be able to do that pretty easily with | a basic HTTP server on your pi; no torrents needed. | virgil_disgr4ce wrote: | "For technical people, self-hosting is made easy with a one- | line AWS deployment script, and an install script for the | Raspberry Pi Zero W" | didibus wrote: | How is it secured and made private? | cratermoon wrote: | Found the code. Looks like basic auth. And, I can't find any | password hashing -- are they being stored in the clear? | | Also the author checked in a credentials and a master key to | github | hanniabu wrote: | Yikes, huge red flags.... | bovermyer wrote: | The only bit of feedback I'll offer at the moment, having not | yet seen Haven in action, is regarding the website. | | Have a designer give the site a distinctive visual identity, | including a logo. Once it's ready, expand that visual identity | into the Haven application itself. | | At the moment, the site feels a bit generic. That's not meant | as a slight; just an observation. | softwaredoug wrote: | Wow neat! I do something similar with Jekyll for family photos. | I have thought a lot about "private social media". My core | requirements sound similar to yours: | | - It should be able to easily upload photos and videos from my | phone | | - everything is link-private, not on Google. | | - it has to be very easy for the least tech savvy to view | photos/videos. Needs to work on many devices, even old browsers | on older PCs out there. Possibly even to the point of printing | and mailing people the images. | | - photos/videos need to be long-lived, I want to view these 30 | years from now | | - space for kids to post messages to their family. Family can | respond easily | | - I own everything and grant no rights to a giant mega Corp | | - it should be possible to notify family members via email when | new content is posted. | | I don't have all those, but these are my ideal. | forgotmypw17 wrote: | i,m working on a project which hits all your points, | including compatibility back to netscape 2.0 and ie 3.0. | jtvjan wrote: | You mean your qdb.us project? It's cool, but I don't think | it's very user friendly. | forgotmypw17 wrote: | i agree, i,m still working on the ui. qdb will be | upgraded to a newer version soon. | newswasboring wrote: | I find it curious why you are supporting such old browsers. | Apart from "its cool" is there any market reason for it? | Like are there really people out there using netscape 2.0? | Or is it a side effect of your minimal technology? But that | sounds limiting unnecessarily, you know? | random_kris wrote: | I think that poster was being sarcastic | forgotmypw17 wrote: | no, i was not being sarcastic, and i have the screenshots | and demo videos to prove it. | forgotmypw17 wrote: | a. i believe in the any browser philosphy. | | b. i think every browser is worth it, and some of these | classics are very nice. | | c. it,s not very limiting because html and js allow for | progressive enhancement. | | i started out wanting to just be accessible. then i saw a | cool exhibit at mfa with beige boxes, win95, netscape 3, | and older web creations. | | i realized it wouldn,t be that hard, i wanted to support | nn3 for classic retro reasons. | | then i realized that with a few tweaks, i can cover the | whole range. | | i really want to be able to say, yes, it will work with | your device. | | i have older ipads i can still use for writing now. | [deleted] | mplewis wrote: | Hi OP, I'm glad you're tackling this space. But I am not | willing to install social network software until I can see some | screenshots of what the UI looks like. I need to know what to | expect, and what my users can expect. | 1970-01-01 wrote: | This seems like an oxymoron. What is your definition of a | "private" website and what are the technical controls Haven | implements that make it so? | throwaway894345 wrote: | Say you've never used Twitter without saying you've never used | Twitter. | | > Twitter is more about "see what interesting people are | saying". | kodablah wrote: | It can be hard for people to self host due to local router | settings and what not of course. You should consider an option | to auto configure as a Tor onion service so their desktop | website is immediately available to all (that use a Tor browser | of course). I do this all the time to bust NAT for simple | sites. And you get encryption and anonymity mostly for free | (performance cost often negligible for these kinds of sites). | newswasboring wrote: | I have read the site and some comments here. First, your site | does not explain well what do you mean by private blog which is | shared. From the comments I understood that you have to create | accounts for people who you want to view some content. I am | guessing that would give them either a email/password or some | type of secure link. If its the former I would definitely find | it tedious, and if its the latter I would like to know how are | you securing this link. | judge2020 wrote: | Magic links are fairly common (slack does them), although | some people have a bad habit of forwarding emails which can | be considered a security issue if links work multiple times. | TedDoesntTalk wrote: | > I tried using WordPress but it took too many custom plugins | and configurations and I still got bombarded by spam signup | requests | | I understand the Wordpress pain. My solution was to pay | Wordpress.com $35/year to give me a hosted Wordpress instance. | There is just one switch you need to flip to make the whole | thing private. Family members have access through their own | usernames. | mahastore wrote: | Why can't someone simply go to any hosting service (like | bluehost) and do a point and click webpress installation on | their purchased domain to host their own website. Webpress also | has a bunch of add-on modules for authentication. I just don't | understand why this post is the top on HN ATM. I imagine there | are bunch of more worthwhile posts. Or maybe we are just too | obsessed now with big tech etc? | wtvanhest wrote: | This is like the classic DropBox comment [1]. The activities | you describe seem easy to you, but are really hard for the | average person. Authentication in Webpress? I imagine that is | more than a 10 minute activity. | | [1] https://news.ycombinator.com/item?id=8863 | sxates wrote: | To be fair, I think setting up a raspberry pi or an AWS | instance isn't 'mom friendly' either. Still more friction | than Facebook, which this is positioning itself against. | wtvanhest wrote: | The real service is their hosting: | | "If running it yourself is too daunting, we can host it | for you on your own dedicated virtual server for as | little as $5 per month." | distantsounds wrote: | Can we maybe get an example of a running instance somewhere? | There isn't even a screenshot of the UI on the home page, just | a bunch of marketing clipart. And that one minute video only | shows cropped screenshots. | 3np wrote: | I was assuming the linked product site is built with Haven | ropeladder wrote: | This looks great. I was looking for something similar to get the | word out about a private event recently and the options for non- | public minimalist website hosting is surprisingly limited. (I | ended up just doing a password-protected simple nginx server, but | this looks potentially much nicer to set up and use.) | krmmalik wrote: | This is a bloody brilliant idea! I think the privacy aspect, i.e. | creating a wall around the content in the way you have done here | is what has been the missing piece between other self-hosted | blogging/content solutions and this. | | A very elegant solution. | kareemm wrote: | Love the idea. We've got kids and try to keep their likenesses | off the public / data-slurping internet (Google, FB/WA/Insta, | etc) by sending photos to friends and family via Signal. | | The downside is that everything's ephemeral. I've long thought | there was room for a private network where you can pub/sub to | people you care about. Sort of a simple and private Livejournal / | Blogger. | | FWIW I think the self-hosting bit isn't where the opportunity is. | It's in hosted private sharing. One thing I'd do is create | landing pages for people who want to share privately and have $$. | Parents are the first group that comes to mind. | | I wish you success - the world needs what you're doing! | rakoo wrote: | Movim sits on top of XMPP, which handles a lot of these already | https://movim.eu/ | | It's also federated, so people not using your instance can | still interact from where they are | izacus wrote: | I mean... if you don't want to self-host, what's the actual | difference between your service and Google Photos then? | | You're still giving photos to someone else with a pinky swear | they won't do share them further. | Benjamin_Dobell wrote: | If setup correctly, the hosting provider ought to be | incapable of decrypting the photos. | ncallaway wrote: | Presumably the contents of the privacy policy would be | different. | | Google doesn't give you a pinky-swear that they won't do | anything further with the images. | paxys wrote: | But an anonymous person on HN is perfectly trustworthy? | vorpalhex wrote: | Incentives, law and outside attestation. | | Google gives you a lot of things for "free". I trust someone | who I pay $9/mo to if they promise to not share my photos. If | they share my photos, they'll stop getting my $9/mo. | | Legally, the host can include protections for your data | including not reselling or sharing your data even in cases of | acquisition. If it's in the contract with the host, it's | binding both ways. | | Third, by allowing audits. There's a cost here and auditors | are still human, but they provide outside assurance - | especially when their findings are published independently. | mawise wrote: | You're right. This is a trust issue that's difficult to | reason about. I'd like to encourage people to self-host as | much as possible and I plan to be as open as possible about | how I'll do hosting. Paid hosting means the revenue model is | clear--there isn't a need to sell data to keep the lights on. | I'm also using the same AWS deployment process for paid | hosting as I make available in the open source repository--so | every Haven gets its own dedicated EC2 instance, with a | database installed right on that instance. This makes broad | querying of everybody's data much harder. | | I think my biggest fear is that that this idea takes off, but | some competitor makes a free offering by selling data and | including ad targeting and most users don't know the | difference. | kareemm wrote: | I don't think you have anything to fear. The reason people | would buy is privacy. If someone gives it away for free | they are the product and their privacy is at risk. | | Plus the market is enormous. Probably room for a handful of | good sized competitors. | nlitened wrote: | I suggest you make a private Telegram group. Everything is | synced across all members and devices, photos and videos are | stored in full resolution. You can hop into the group's voice | chat any time. | ruste wrote: | Someone has already suggested mastadon, but I think Scuttlebutt | is a much better solution for what you want. Totally | decentralized, persistent, no need for a hosted server. You can | set it up in a few minutes and if you're only using it for your | small group there's no need to connect to anyone else. | jamesgeck0 wrote: | The problem is that SSB isn't really private. Anything you | share in an offline circle of friends becomes public if any | member of the group ever connects to a pub server. There is | encrypted messaging, but IIRC last time I tried to use it, | the threads maxed out at eight people in the client. There | are seven people in my immediate family, so I hit limits very | quickly. | kevincox wrote: | This is possible in the Fediverse. For example Mastodon lets | you approve your followers manually and post so that only | followers can see. | kareemm wrote: | There's value in making private only and anything you post is | seen by followers the default case. Mostly when marketing: if | I don't ever want to publish publicly a landing page that | says this: | | > Haven is about sharing privately with friends and family. | There is no option to make your blog public to the world. You | get to create an account for anyone you want to have access. | | Is more compelling than one where grandparents have to | register, find my blog, I have to approve them, and for every | post I have to set permissions levels. | treis wrote: | >We've got kids and try to keep their likenesses off the public | / data-slurping internet (Google, FB/WA/Insta, etc) by sending | photos to friends and family via Signal. | | We use Tinybeans for this | drcongo wrote: | Yeah, there's loads of these. We used to use BackThen which | used to be called something else, got bought by Canon and | then sold back to the founders. It's decent enough, but now I | just use iCloud shared photo albums as none of the people I | share with use Android. | knz wrote: | > long thought there was room for a private network | | MyFamily.com was essentially this in the pre Facebook era. IIRC | there was a modest annual fee for a private site/feed that let | you share posts, photos, and recipes with family members. | calvinmorrison wrote: | ActivityPub / Mastadon maybe or just a good old RSS feed. | didibus wrote: | Facebook and Instagram both let you do this, that's how I use | them. All my information is private and only shared with my | direct followers that I've approved. | | What's different about what you envision then that? | jstrieb wrote: | On the other hand, if you want to password-protect static sites, | you can make the path unguessable and use Link Lock to share a | password-protected link to the page. All encryption/decryption is | done fully in the browser. | | https://jstrieb.github.io/link-lock/ | | (Disclaimer: I made Link Lock) | eitland wrote: | Brilliant idea and nice, honest business model it seems: | | Share the code, offer hosted solution for a reasonable price. | | The only thing I can't remember seing covered is data export. | | I might very well sign up tonight to test it out a bit to put the | money where my mouth is (I have been a long time paying | customer/supporter of a couple of other projects with kind of | similar business models but it might be time to change now soon.) | mawise wrote: | Thank you! | | Data export is important, and it doesn't exist yet. Exporting | the users table and the text content of posts/comments will be | straightforward, but extracting all the images is going to take | a little bit more work. | sasquacz wrote: | My family needs a private place like this. I put a non-federated | Pleroma instance on a free tier Google Cloud VM. Pleroma is a | lightweight alternative to Mastodon and it requires very few | resources to handle ~10 users. It's compatible with more popular | Mastodon so there is a lot of available clients apart from the | web version. | | Highly recommend you give it a try. https://pleroma.social/ | gnud wrote: | Sounds good - and looks interesting. I have two wishes/requests | for my use: | | - Clear size limits for photo/audio/video content in your hosted | solution. And clarify if/how they are backed up. Do I need an | additional backup, or can Haven be my backup? | | - Different visitor groups. I basically have some videos I only | want certain visitors to see. A handful of levels would be fine, | I don't need fine-grained control over everything. Maybe this is | already possible? | mawise wrote: | Right now I don't have any size enforcement included in the | hosted solution. And individually uploaded object can be up to | 25mb (IIRC). If users start blowing out the S3 usage, then I | might have to revisit this. | | The hosted solution (and the self-hosted on AWS which uses the | same deployment methods) automatically backup every night by | dropping a database dump on S3. There's some manual work | required to restore from the backup but I haven't had any | issues with it so far. All the images live on S3 which I'm | treating as durable. If you self-host on a Raspberry Pi then | you're on your own for doing backups. | | I've thought about the different groups feature. I haven't | decided if it's one I want to implement. It might be the top of | the slippery slope of adding too many features. | powerlogic31 wrote: | I think it's more of an internal company tool rather than a | family one. | | Needs of most family are pretty basic. and not this complicated. | fgreinus wrote: | https://www.haven.org/haven/wiki/ | | Seems like perl is not having a good day there. | piaste wrote: | About halfway down the code: sub | ProcessTemplateText { local($text) = @_; | $oldtext = $_; $_= $text; # Truly | frightening stuff s/\[eval (.*?) | EVALEOF\]/eval $1/geo; $outtext=$_; | $_ =$oldtext; return $outtext; } | unkeptbarista wrote: | Just so it's clear, that truly frightening stuff is on | haven.org, and not on the OP's havenweb.org site. | olav wrote: | OP is at https://havenweb.org/, not https://haven.org/ | fgreinus wrote: | Oh - you're right. My bad! | bicx wrote: | [insert meme] Is this hacking? | tootie wrote: | Wow, copyright 1995. Was this borrowed from Matt's Script | Archive? | kristopolous wrote: | It's the c2 code https://en.m.wikipedia.org/wiki/WikiWikiWeb | scary-size wrote: | Nice work! I setup a private page for sharing baby photos with | friends and family too. We only post photos with a small | description, so I opted for e-mail as my "api". The server runs a | script periodically and just rebuilds the full "feed" as a single | html file based on those mails. It also does some image and video | optimization/normalization, but it's all statically served via | nginx. | daitangio wrote: | There is something similar for chats? I need a secure chat for my | children & their friends | gnicholas wrote: | Reading this made me wonder if one could use Substack in a | similar way, and it appears that they do have a 'private' option | that is available for free or paid authors. [1] | | I imagine that limits what you can do with layout/formatting, but | eliminates some of the complexity around helping grandma log in | (since she could get emails with the content and also with a | login link). | | Disclosure: I am not affiliated with Substack; I don't even have | an account. | | 1: https://blog.substack.com/p/new-private-substacks | joewils wrote: | mawise, | | Where you thinking of sharing your code under an MIT license | similar to Rails or something else? | | I looked for a LICENSE file, but didn't find one: | https://docs.github.com/en/github/building-a-strong-communit... | mawise wrote: | I've been thinking about licensing, but haven't settled on a | license yet. I might use AGPL, but I want to consult with | someone with legal background before making that decision. | twodave wrote: | I've actually got a Jekyll + Github Pages[0] setup that I've | managed to password-protect pretty effectively[1]. | | Essentially I took my wife's wordpress content, ported it to | markdown, and slapped ALL the content inside a directory named | used the password hash. So you basically have to know the | password to get to the right directory. Is it perfectly secure? I | don't know. Does it discourage creeps from looking at pictures of | my kids? Yep. | | [0]: | https://dsheldon.com/technology/github%20pages/jekyll/2019/0... | | [1]: https://faithfullyinfertile.com/ | onion2k wrote: | _...slapped ALL the content inside a directory named used the | password hash. So you basically have to know the password to | get to the right directory._ | | You could attack the site by cracking the password to get the | hash, or you could work out a way to make the web server list | all the available directories instead. Historically that has | always been a _very_ common way to attack servers. You 've | changed the thing that's protecting the website from password | hash to a web server config. It only takes a simple mistake on | the part of Github to enable directory listings and everyone | will have access. | | FWIW I trust that Github won't do that and I think you'll be | fine, but as a method of securing something on the web using an | obscure directory name is a terrible idea. | twodave wrote: | Well, for one, "cracking the password" in this case would | take an attacker much longer than just going to find some | other family's blog to creep on. And there is no entry point | for a directory listing (default page is being taken by the | password prompt, no other directories are present), but if, | for example, GitHub accidentally made my private repository | into a public one, it's just a matter of changing a directory | name to reset the password. | | The content being protected here isn't nuclear launch codes, | it's just family pictures/journals--so we don't need rock- | solid (and annoying to set up/maintain) security, but just a | deterrent much the deadbolt on our house's front door. | hanniabu wrote: | What if you literally just encrypted the page contents, share | the password with your friends, and decrypt it with js? | z3t4 wrote: | Ive tried to give family members access to private sites, but do | you think they remember their login user/pw? Nope. That is the | hard problem. Each person should have a publuc/private key so | they don't need usernames/pw. | mawise wrote: | This is a problem. Haven lets you share magic login links with | people if you don't want to give them an email/password | combination. | [deleted] | josefresco wrote: | This is cool! I did this once for my parents, who were not on | Facebook. Since I'm a WordPress guy, that's what I used and | simply made the blog private (search engine indexing off) and | then hosted it in a sub directory of an existing personal site. | No accounts, no bots just a private little website for my folks. | It ran it's course (uploading photos was a chore), now we use | iMessage and the like to swap and share family photos. | Tepix wrote: | I created a wordpress site on my server and added a htaccess file | with some accounts. Does that achieve the same thing? | | Edit: i guess i could have used the free plugin "restrict user | access" instead: https://wordpress.org/plugins/restrict-user- | access/#i%20have... | tyingq wrote: | I know it sounds counter-purpose if you're trying to lure them | off of Facebook for privacy reasons, but maybe Facebook Login | would reduce friction? It seems like the API gives back enough | info so that you could redirect anyone not "pre-approved". | mawise wrote: | I've thought about that, and I'm particularly interested | finding a way to use IndieAuth[1] to support lots of | alternative logins. I don't have any experience with Facebook | login but I am worried about allowing Facebook to be the | identity provider for the internet. | | [1] https://indieauth.com/ | stiray wrote: | The idea to have something like this is great but I would love to | see an implementation that would be done as a single binary with | no dependencies (like ruby) and as lightweight as possible. | | Download, run, configure something and use it. | kaioelfke wrote: | Cool, I'll add it to https://nomorefacebook.xyz as alternative! | realolokunmama wrote: | Hello!! I hope my contact brings you inspiration and joy to your | day! As you can see, I'm a spiritual spell caster i have herbal | cure for CANCER and more i also cast spells such as Health | Restoration Spell Dismiss Depression Spell Love spell Ex Back | spell Lost Love spell Attractive spell Divorce spell Financial | spell Promotion spell Marriage spell Protection spell pregnancy | spell Job spell Grow your business spell Lottery spell Fertility | spell Court Case spell Diabetes Lupus kindly contact me And don't | forget that problem shared is a problem solved. Email: | realolokunmama12@gmail.com | absorber wrote: | Not to be confused with Haven from the Guardian Project: | https://guardianproject.github.io/haven/ | foxhop wrote: | Also checkout Remarkbox, I just made it free. | | https://www.remarkbox.com/remarkbox-is-now-pay-what-you-can.... | | It's a hosted comment system which works anywhere HTML is | supported. | munificent wrote: | It seems everyone in this thread feels strongly that they would | have built a much better bikeshed than the author did. | | But how many of you actually have? | 1-6 wrote: | I'm bullish again on domain names. | rumblestrut wrote: | If you want a Facebook replacement (at least for groups) use | Band: https://band.us | | My wife is using it for a group she was running on facebook and | loves it. | | As for Haven: the more the merrier. Nice work building something! | njacobs5074 wrote: | Band is free? | | How is that possible? Sorry I'm just suspicious of anything | that smells like a social network and there's no cost. | | [Edit] I just went to the Apple App store page and there's a | cost for a variety of features. | olav wrote: | What is Band's business model? | twoslide wrote: | A private blog for sharing photos is great, but the suggestion | it's a Facebook replacement is questionable. People now use | Facebook not only for photo sharing/status updates, but | buying/selling stuff, communities, and (unfortunately) news. | Notifications such as "Friend A commented on Friend B's post" is | pretty impossible in this framework, and it's not really possible | to recreate this in a world where everyone self-hosts. Projects | like diaspora try a decentralized approach as the next best | thing. | Sodman wrote: | I would take this to mean a replacement for the "original" | Facebook feature set, of sharing personal news, stories and | photos with a pre-selected list of friends and family. | | Many people (myself included) don't _want_ the newer | marketplace / open community aspects of Facebook to be mixed | into a platform where they share personal updates. If that | means I have to give up 100 likes and comments on every | baby/puppy picture I post, that seems like an acceptable trade- | off to me. If folks want to comment on any of my updates, they | can communicate with me in other channels (e-mail, text, real- | life). Not for everyone, but it's definitely a market niche | that's under-served right now. | munificent wrote: | I don't see anything questionable about this. Product A can be | a valid replacement for Product B for only a subset of users. | | A bike is a perfectly valid replacement for a car for the set | of people who only drive a couple of miles to commute to work. | It's obviously not a replacement for all users, but that | doesn't undermine the valid claim that it is for some. | wintermutestwin wrote: | I'd prefer a site that doesn't include all those "features." | This doesn't need to be a do it all site with social stickiness | to be useful. | crazypython wrote: | > Notifications such as "Friend A commented on Friend B's post" | is pretty impossible in this framework | | If it supported ActivityPub and perhaps WebMention, this would | be possible, and across any social network. | perakojotgenije wrote: | Four of five years ago I had exactly the same idea! It's as if | you have somehow read it from my brain! Now here's the thing: I | even started working on it but then I started thinking about how | many customers I might find and then I stopped working on it. | Here's what made me stop: | | First, the self hosting. Self hosting is hard. It's impossible | for the average user. First, you need to buy and register your | domain (and don't forget to renew it every year or two). Then you | need to add the DNS record (what's a DNS record?). If you want to | host it in your home you need a static IP. How many people know | what a static IP is? If you do not have it you need to purchase | an online server. Cheapest linode or digitalocean is 5$ a month. | Then the installation. You might make a few scripts but how many | people will be able to run it? And then, if you finally have your | website active you need to take care of backups, too - because | mistakes happen. So, to summarize, self hosting is just for | technical people, there is no way for Average Joe to do it. | | And the there is the hosted solution. It costs 5$/month but what | do you get for that money? Yes, you can host your family pictures | but you do not get any of the other features that Facebook gives | you - the gossips, the ads (some people want to search for things | to buy), the latest conspiracy theories, the political flame | wars, your grandparents' ramblings... and all that for free! | | So, you get just the very basic features, and you will still need | to visit Facebook if you want to check your grandparents photos | and some of them will not even want to visit your webpage ("why | can't you just put photos on Facebook where I can see them? And | why do I need an account to see your pictures?"). So, other than | some very privacy-oriented people I did not see very many people | using it. | | Now having said that, I am extremely happy that someone made | this! I really hope that I was wrong and that you will find lots | and lots of customers. I will follow your project, I might even | become a customer (I stopped using Facebook a few years ago and I | share pictures with my family using telegram group but it is not | exactly the best solution). I wish you best of luck with this | project. | paulcarroty wrote: | Not bad, but for self-hosted blog I would use https://ghost.org/ | - much more features and nicer UI. | darkwater wrote: | Why would I turn my family into a business? | Sodman wrote: | This seems like a much more polished product, but it seems more | targeted as a PaaS for professional content creators. The | minimum requirements[0] are pretty high for somebody who just | wants to self-host a blog for friends and family: | | - Ubuntu server with NodeJS / Ngninx installed | | - 1 GB RAM minimum required | | - MySQL running somewhere | | The PaaS "Everything just works" offering is probably more | attractive to the "facebook, but private" market, but for $36 / | month I don't get any guaranteed SLA[1] which is worrying. | | [0] https://ghost.org/docs/install/ubuntu/ [1] | https://ghost.org/pricing/ | halcy0n wrote: | Great another place that snowflake ass white supremacists right | wing assholes can organize violent insurrection because they | can't handle being told "no" by women and minorities. | | I'm sure this is not the creators intent but I don't see this as | solving a problem. I see it as another way for techno-illiterates | to share hate. | mindfulness9000 wrote: | > snowflake ass white supremacists right wing assholes | | this kind of language feels hateful. | TimTheTinker wrote: | We're in a really bad place as a society if folks can't provide | a publishing platform without being accused of "enabling hate". | dasanchez wrote: | I am using the Beaker browser to share baby photos with my | relatives- it's a great motivator to adopt decentralized tech :) | | https://beakerbrowser.com/ | justinph wrote: | The problem I have with this is that it makes people create and | manage an account. My 90 year old grandmother is not gonna manage | that. | | I made a little hack for wordpress that lets you run a wordpress | blog and have a shared security question that lets people access | content. A simple question like "What is the name of the family | dog?" or "What is grandpa's nickname?", something like that. Not | industrial strength security, but enough to keep it sorta private | and out of search. | | The nifty part is that with wordpress and Jetpack, people can | sign up for posts by email, so every time you post, your | friends/family can get an email with the updates. No need to even | visit the blog. Perfect for grandma. | | Here's the two files that make it work, in case anyone is | interested: | https://gist.github.com/justinph/f0fb937d1ee418a45bfb85e91e4... | noyesno wrote: | Cheapest FIDO2 capable USB keys seem to be around 9$. At that | point you could theoretically give our family and close friends | a physical key to the service for easy authentication. | | Some could even reuse the key for other services, assuming they | realize that they need a spare for backup. | andyfleming wrote: | Yeah, it would be nice to have some other options besides full- | on user accounts. One approach could be to have an expiring | token where the post can be shared and accessed for a certain | number of days before the token/URL is invalid. | mawise wrote: | This is a problem. I initially couldn't get my wife's | Grandmother to see the site because sending her a password | was too complicated. I have since implemented magic links for | login. When you create an account for someone you can share a | magic link with them or an email/password combination. | wintermutestwin wrote: | Magic links sounds like a perfect solution. | paxys wrote: | It doesn't stop them from (knowingly or unknowingly) | forwarding the link to someone else. | mozey wrote: | Interesting idea, maybe combine it with some | fingerprinting? I.e. the first access on the link binds | some attributes, and if they change the link expires. | Chances are people who need these links are only using one | device. | tunesmith wrote: | You could set up a magic link that would ask your grandma for | her middle name, and all she'd have to type in is Ethel. Then | if she forwards the magic link, it wouldn't work for them | unless they know her middle name. So like a personalized | password with no username. Less secure than username/password | but no big deal if it's for a small number of people. | rhodozelia wrote: | I had that exact idea last week - answer a question that shows | you know me and you are not a bot and then you can access my | blog and posted photos, but the surveillance machine can't. | lallysingh wrote: | Yeah it's a problem they don't need to have. A few oathy | entrances would help. "Login with Google" "Login with facebook" | "Login with outlook", etc. If the user's added foo@gmail.com, | it's fair to let foo@ to log in with the same identifier. | bovermyer wrote: | Just to play Devil's advocate, why would I use this over a | private WordPress/Ghost/WriteFreely blog? | mawise wrote: | Those are great feature-rich platforms, but their focus is on | public distribution. Configuring them to be private isn't | trivial and even then they're much more complex to operate. | Haven focuses on privacy and I've tried to make it easier to | use, sort of like how Trello got a lot of popularity by being a | simpler, easier-to-use alternative to Jira. | ncallaway wrote: | From the features, it seems like the focus is on granting | different access to different people on a per-post basis. | | > There is no option to make your blog public to the world. You | get to create an account for anyone you want to have access | | ... | | > If you want a public blog to build a base of followers, or | promote a product, or try to profit from your blog--this isn't | the right service for you. I suggest you use Wordpress instead. | powerlogic31 wrote: | Yes and you could also use apple shared notes. | intrasight wrote: | Just pointing out typo on "hosting" page | | "possible for all peoeple" | fiores wrote: | Can a user from one Haven server post something in another Haven | server? Is this desireable? If desireable, how will access | control work? | bitcharmer wrote: | I've started to migrate to github pages. Does anyone know how it | compares? ___________________________________________________________________ (page generated 2021-02-03 23:00 UTC)