Caddy was supposed to be great: a modern web server configured for TLS and HTTP2 out of the box. Apache and Microsoft IIS (both from 1995) look like dinosaurs next to the modern application written in Go.
"Earning your trust is my most important interpersonal goal ... I do my best to always follow Christ's example and include Him in everything I do."
But just days after the Facebook/Cambridge Analytica scandal, Matt shocked the community by announcing the server software will soon collect telemetry from its users by default. The community responded with frustration and disappoinment:
"After the recent FaceBook fiasco I would have thought there would be more 'sensitivity' to thinking about privacy before jumping in with a de facto opt-in (and the potential that that choice brings)." - omz13
"While this feels more like a privacy issue than a security one, the whole opt-out thing just leaves me with a taste of 'Caddy is the HTTP/2 web server with automatic HTTPS. Now with added spying!'" - lucas
"I work with individuals using technology in oppressive regimes. What you're proposing, if not handled carefully, could literally have people imprisoned or murdered by their governments. We are just now embarking on a global debate over privacy. Respectfully, to implement default telemetry now ... is a slap in the face to many of us." - caddyhello
In our Weekly Privacy Discussion video, we called Matt out on his decision, and urged him to reconsider his stance for the sake of user privacy. User caddyhello posted a link to the video in the community thread on telemetry, twice. It was removed both times by Matt, claiming the video "does not add any value to the conversation".
Let's recap: the sole developer of Caddy is censoring his own userbase to make arbitrary decisions which run contrary to the original ethos of the application. This is no longer just a conversation on privacy; this is an issue of trust. If he says one thing ("Earning your trust is my most important interpersonal goal") but does the opposite, how can any server administrator trust Matt Holt or his software?
If we were Go developers, we would fork Caddy into a new application, and move on. But we're not full-time developers (if you are, here's your shot at fame) which leaves us reaching out to the larger tech community to discuss the future of web servers, default TLS, and HTTP2. Where do we go from here?
Published April 30, 2018
Update May 01, 2018
In a heated debate on Hacker News, Matt Holt continued to silence dissent, flagging the post and downvoting anyone who disagreed with him. He admitted, "I haven't actually watched the video", demonstrating his refusal to engage in a rational dialogue.We depend on the support of readers like you to fund research initiatives and product development.