Caddy was supposed to be great: a modern web server configured for TLS and HTTP2 out of the box. Apache and Microsoft IIS (both from 1995) look like dinosaurs next to the modern application written in Go.

Caddy is developed exclusively by Matt Holt. His online profile reflects Caddy's mission to, "deliver security and privacy to millions of users across the world".

"Earning your trust is my most important interpersonal goal ... I do my best to always follow Christ's example and include Him in everything I do."

Double Trouble

But just days after the Facebook/Cambridge Analytica scandal, Matt shocked the community by announcing the server software will soon collect telemetry from its users by default. The community responded with frustration and disappoinment:

"After the recent FaceBook fiasco I would have thought there would be more 'sensitivity' to thinking about privacy before jumping in with a de facto opt-in (and the potential that that choice brings)." - omz13

"While this feels more like a privacy issue than a security one, the whole opt-out thing just leaves me with a taste of 'Caddy is the HTTP/2 web server with automatic HTTPS. Now with added spying!'" - lucas

"I work with individuals using technology in oppressive regimes. What you're proposing, if not handled carefully, could literally have people imprisoned or murdered by their governments. We are just now embarking on a global debate over privacy. Respectfully, to implement default telemetry now ... is a slap in the face to many of us." - caddyhello

In our Weekly Privacy Discussion video, we called Matt out on his decision, and urged him to reconsider his stance for the sake of user privacy. User caddyhello posted a link to the video in the community thread on telemetry, twice. It was removed both times by Matt, claiming the video "does not add any value to the conversation".

Fork Caddy

Let's recap: the sole developer of Caddy is censoring his own userbase to make arbitrary decisions which run contrary to the original ethos of the application. This is no longer just a conversation on privacy; this is an issue of trust. If he says one thing ("Earning your trust is my most important interpersonal goal") but does the opposite, how can any server administrator trust Matt Holt or his software?

If we were Go developers, we would fork Caddy into a new application, and move on. But we're not full-time developers (if you are, here's your shot at fame) which leaves us reaching out to the larger tech community to discuss the future of web servers, default TLS, and HTTP2. Where do we go from here?

Published April 30, 2018

Update May 01, 2018

In a heated debate on Hacker News, Matt Holt continued to silence dissent, flagging the post and downvoting anyone who disagreed with him. He admitted, "I haven't actually watched the video", demonstrating his refusal to engage in a rational dialogue.

Another user suggested Armor, Traefik, and Wedge as alternatives to Caddy. We'll explore these options and review them soon.

We depend on the support of readers like you to fund research initiatives and product development.