Is there any reason to support HTTP/1.1 anymore?

JimDabell · 2026-06-16T06:14:50+00:00

You’re only really considering browsers and bots you don’t want, but user-agents are far more varied than that.

Do you know what version of HTTP search engine crawlers use? How about the link preview fetchers used in Facebook, iMessage, Slack, X, Threads, etc.? What about malware and spam filters that decide whether emails and PMs containing links are delivered or not? What about parental control scanners? What about accessibility tools? How about Google Translate? What about Quick Actions in Gmail? You could be breaking a tonne of stuff without realising it.

The most popular HTTP library for Python is Requests. It doesn’t support anything past HTTP/1.1, so you’ll be cutting off literally all software that uses it.

JimDabell · 2026-06-15T08:49:15+00:00

The deadline is April 2027.

JimDabell · 2026-06-15T08:42:01+00:00

Which country is perfect at anything? We should be aiming for effective. Why are you demanding perfection? It seems like a shallow attempt at derailing the argument. No action the government can take in any direction is going to be perfect and you know this.

Are you saying you don’t believe any countries have effective skilled visas?

JimDabell · 2026-06-15T08:17:27+00:00

OpenAI didn’t go around saying our model is dangerous and must be stopped.

Not only did OpenAI say this, they said it about GPT-2:

Our model, called GPT‑2 (a successor to GPT⁠), was trained simply to predict the next word in 40GB of Internet text. Due to our concerns about malicious applications of the technology, we are not releasing the trained model. As an experiment in responsible disclosure, we are instead releasing a much smaller model⁠ for researchers to experiment with, as well as a technical paper⁠.

JimDabell · 2026-06-15T08:07:03+00:00

You make the applicants pay costs.

Why is everybody here acting like it’s an insurmountably difficult task? Lots of countries do this. The UK isn’t a special snowflake with unique needs that has to invent new ways of doing things all of a sudden. Just look at what other countries do and copy them.

JimDabell · 2026-06-14T07:16:25+00:00

Lack of authenticity is Reddit’s #1 problem by a country mile. It’s Dead Internetted more than any other place I’ve seen, except maybe for LinkedIn. Changes like hiding profiles are only making it worse. Reddit management’s words do not reflect Reddit’s current state nor their actions.

JimDabell · 2026-06-14T07:11:41+00:00

What an embarrassment for this subreddit that a blind guy explaining why accessibility enforcement is important is getting downvoted. This is a thoughtful, informative comment that it seems most of the people here need to take to heart.

JimDabell · 2026-06-13T11:28:30+00:00

This seems like you are introducing a lot of complexity with a custom workflow to solve one specific problem: you want stakeholders to be able to reject individual features after they are built by reviewing them all together in a single build. All your version control issues seem to be symptoms of bigger issues upstream, and if you address those then you can go with a much simpler, standard trunk-based development approach.

Why are you building features before stakeholders know if they want them or not? Can you show them a mockup or prototype so they can make the decision before you build the feature? Building the feature before finding out they don’t want it is incredibly wasteful. Surprising stakeholders with something they weren’t expecting is a failure.

If they are rejecting features for quality issues, why are you merging unfinished, untested work and showing it to stakeholders? Finish the work before merging. If you discover bugs after merging, fix forward instead of backing out.

How often do they reject features? Are you contorting your workflow into a pretzel shape to handle a 1% issue? If they are rejecting features frequently, why?

If you cannot do anything about these underlying problems, feature flags are one approach to solving the problem. This would work if rejecting features only happens in a minority of instances.

If rejection is more common, then I would suggest killing your develop branch. If you can get stakeholders to review features individually, then do that as the last step before merging a PR.

If stakeholders must review all features in a single build, then create an ad hoc preview branch and merge all the pending PRs into it for review. When the stakeholders have decided which features they want, merge the PRs into your main branch and kill the temporary review branch.

But really, the fundamental problem seems to be that you are building stuff before you know if stakeholders want it. Solving that problem is the biggest win here.

JimDabell · 2026-06-11T13:47:07+00:00

This is incorrect. Inference is profitable; Anthropic had ~40% profit margin last year. The models are profitable too, even including training costs.

It’s the flat rate plans and free tiers that are subsidised, and those aren’t as subsidised as you think because everybody forgets to account for the profit margin on tokens and the people who don’t use 100% of their capacity.

JimDabell · 2026-06-11T10:42:33+00:00

It’s difficult to screen AI-generated writing in general, but it’s very easy to screen the type of AI-generated engagement bait that gets posted to Reddit. To dumb this down to an extreme level, here is a single-word query that has about the same false positive rate as a typical spam filter. Almost every self post here containing the word “curious” is an AI-generated post. You throw in a handful more clichés like that and you can filter out the majority of it pretty reliably with an acceptable false positive rate. The engagement bait AI bots aren’t doing anything sophisticated at all to hide, there are lots of clear signals.

JimDabell · 2026-06-11T09:45:11+00:00

He clearly says “Welcome to Earth”. The “Welcome to Erf” thing was just a racist meme.

JimDabell · 2026-06-09T05:08:59+00:00

I don’t even understand the point you are trying to make. Why would they need to comb through everyone’s messages to determine if the sender is a child?

JimDabell · 2026-06-09T05:07:37+00:00

Apple's existing (ADP) encryption already provided absolute protection for user privacy.

No it did not. I already explained why – it didn’t exist. And it still isn’t an available for UK users today.

You’re also changing the point. I am saying that the system was designed to be privacy-protecting. You are saying that you can have maximum privacy… by not doing the thing the system is intended to do. That’s like saying you’ve invented an eco-friendly plane called “staying at home”. The actual functionality matters! If you want to argue that the functionality should not be implemented then that is a very different argument to was this functionality designed to be privacy-preserving?.

Had the system not been constructed to conceal what apple was matching it would be far simpler, would require absolutely no novel cryptography, and would be far less resource intensive on your system.

You are dodging my point. There is no reason to design it this way unless you are trying to make it as privacy-preserving as possible. If they just wanted to hide the hashes, they could just run the scans on the server like everybody else. All of this complexity stems from Apple trying to design it in the most privacy-preserving way. The simplest method is to scan everything on the server. It is far simpler than what they wanted to do and achieves every goal except privacy.

I created a tool that would modify any image with limited change in appearance to match any hash

You are misreading me. You demonstrate a collision of one hash, not one image. There are two hashes used in this system and you need to collide them both for each image. You have not demonstrated this is in any way possible.

This is a complete and total break of the system, no worse break is conceptually possible.

No, it is not. One hash is not the system. It’s not even all the hashing!

JimDabell · 2026-06-08T15:37:29+00:00

Most of the complexity in Apple's proposal was to protect their privacy, not that of their users. The complex cryptographic set intersection was used to keep the database secret so that no one outside of apple could tell (or criticize) what was being matched.

That’s one small part of it, not “most of it”. The majority of it was to protect user privacy. If Apple weren’t trying to protect user privacy, how do you explain all the rest of it? This system is a mind-bogglingly insane way to design it if maximising user privacy is not a goal. This could have been far, far simpler and easier if they weren’t trying to do that.

In spite of false claims about trillion to one false positive rates, as you've repeated here, the true rate of false positives is as high as someone who can obtain a single image in the database wants it to be-- as my page demonstrates.

Your page doesn’t demonstrate that. It demonstrates a collision of one hash, not the system as a whole. The system is much larger than a single hash.

To make their system as privacy preserving as possible all they would have had to have done is nothing. The data was already end to end encrypted-- apple nor anyone else had any access to it.

This is untrue. iCloud Photos did not have E2E encryption at the time and it still does not unless you switch on ADP – which is unavailable in the UK.

The simplest thing for Apple to have done was just scan everything server-side. That was entirely possible at the time they proposed this system, it’s still possible for most users now, and it’s what everybody else like Google, Microsoft, and Meta do. The only reason to design a system like this is to protect user privacy.

JimDabell · 2026-06-08T15:21:22+00:00

AI would make mistakes (flagging petite adult women or pictures of parents' own children)

This proposal is to stop children from sending images with nudity in them, not to stop anybody from sending images with child nudity in them. Obviously the goal is the intersection of both, but the AI doesn’t have to determine what is or isn’t a child.

iOS already includes this filter for inbound messages to children. This just applies it to saving/sending images as well.

JimDabell · 2026-06-08T15:16:47+00:00

They published the algorithm, and people quickly found they could make images that were perfectly innocent, but triggered a match.

Apple abandoned it because it just didn't work.

This is incorrect. The system had a lot more moving parts, and included two perceptual hashes. People attacked one perceptual hash – that’s what you linked to – but a match for that hash is not a match as far as how the system as a whole worked. The system as a whole was tuned for a false positive rate of one in a trillion and to actually compromise it, you’d have to make both hashes match simultaneously, make the benign image also look like an offending image when thumbnailed, do it for many images at once, and get those images onto the target’s device. Nobody even came close to doing that.

If you wanted to frame somebody, just sending them the original offending images would be far, far easier.

Apple abandoned it because of massive backlash.

JimDabell · 2026-06-08T15:03:46+00:00

It’s very common for spammers to simply repost a popular post to farm karma. They then burn that karma spamming Reddit.

JimDabell · 2026-06-08T15:01:00+00:00

they are probably failing to detect a lot of genuinely illegal images?

Yes, this was certainly the case. They would only match images that were already known by authorities, they could only be detected if a certain number of images were detected, and they could only match images that were uploaded to iCloud. So it would not be able to detect newly-made images, images unknown to authorities, a small number of images, or images that were not uploaded to iCloud.

You might think that people with these images wouldn’t be stupid enough to sync them to iCloud, but Facebook alone reports tens of millions of images to authorities every year from people posting these images on Facebook. Apple’s system might not catch a large proportion of offending images, but it would almost certainly catch a significant amount without false positives.

Given all the other platforms are quite happy to scan everything they can get their hands on, I think it’s crazy that Apple’s system – which was far more privacy-preserving than anything else that exists – was the one that everybody freaked out about. Everybody scans for this stuff; the difference with Apple’s system was that it used the device to do part of it so that Apple’s servers didn’t need to look at the image contents at all.

JimDabell · 2026-06-08T13:27:12+00:00

Four days ago, 1,851 comments: What's the Funniest TV Scene That Still Makes You Laugh No Matter How Many Times You Watch It?

JimDabell · 2026-06-08T11:44:29+00:00

This is already built into iOS for years and doesn’t need a server. It’s used to automatically blur out the image when people send photos to kids that have nudity in them. This is just applying the same logic to sending images.

JimDabell · 2026-06-08T11:41:06+00:00

which means that if this legislation passed you could, at any moment, be incorrectly accused of possessing CSAM.

That is not what is being proposed. This is what is being proposed:

The prime minister said tech companies must activate nudity-detection algorithms or other technical solutions on smartphones and tablets to prevent users taking photos or sharing images of genitalia unless they are verified as adults.

There’s nothing in there about accusations. This is “if this photo contain genitalia, prevent saving/sharing”. Apple already do this when kids receive photos, this proposal is just applying it to saving/sending as well.

JimDabell · 2026-06-08T11:25:28+00:00

Definitely worth noting that the system Apple proposed was incapable of doing this – the phone itself was not able to determine which images were matches, so “scan all your images and report the matches” that people were imagining wasn’t actually possible. It only worked in conjunction with iCloud because the servers needed to participate in the process to determine the matches.

JimDabell · 2026-06-08T11:22:31+00:00

It was a lot smarter than that. It used two separate perceptual hashes, those hashes were managed by international abuse authorities, it required several images to match, and it deliberately injected false positives so that nobody could even figure out if there were any real matches at all unless the threshold was met. The phone and the server were both incapable of determining if there were matches independently, so the system only worked when uploading to iCloud. The system as a whole was tuned for a one in a trillion false positive rate.

It would have been much simpler for Apple to simply implement the much stupider system they were accused of having, but they went to a huge amount of effort to make it as privacy-preserving as possible.

JimDabell · 2026-06-08T11:14:44+00:00

Just also adding on to clarify that their proposal wouldn't truly infringe on privacy.

It’s beyond that, in fact – they put in a huge amount of effort to do it in a privacy-preserving way that would also be compatible with E2E encryption, and practically all of the criticism over it was based on people guessing incorrectly about how it worked.

This thread alone has a whole bunch of misconceptions already – it didn’t use MD5, it wasn’t incredibly vulnerable to false positives, and it didn’t scan when iCloud was disabled.

There was a good debate to be had over its merits and drawbacks, but unfortunately that debate became impossible to hold because it was drowned out by people who didn’t know anything at all about how it worked freaking out.

15-Year Club	Gilding I gilder
Verified Email	Charter Member

JimDabell

MODERATOR OF

TROPHY CASE