Tom7: No one can force me to have a secure website [video]
Audiophilip
36 points
9 comments
April 13, 2026
Related Discussions
Found 5 related stories in 59.9ms across 4,783 title embeddings via pgvector HNSW
- No one owes you supply-chain security birdculture · 70 pts · April 12, 2026 · 46% similar
- The difficulty of making sure your website is broken mcpherrinm · 61 pts · April 10, 2026 · 46% similar
- Nowhere is safe sblank · 166 pts · April 10, 2026 · 45% similar
- How Secure Is Tap to Pay? [video] apparent · 11 pts · April 16, 2026 · 45% similar
- Vitalik Buterin – "My self-sovereign / local / private / secure LLM setup" derrida · 25 pts · April 02, 2026 · 41% similar
Discussion Highlights (8 comments)
bariumbitmap
Link to paper: https://tom7.org/httpv/httpv.pdf
MrEldritch
Hear, hear! I honestly think the obsession with cryptography and security has caused us to lose much of what is simply fun about technology. We have grown so used to the assumption that everyone involved is a corporate player and that fools must be kept insulated that we have left no room for play.
Evidlo
Was fortunate enough to see this presented live at SIGBOVIK this year!
toaste_
Tom appears to have totally missed SSLStrip. Before browsers screamed bloody murder over http, a MITM could defeat SSL by acting as the SSL endpoint and forwarding everything as plain http. And back then, the only indication was lack of a 16px lock icon and a missing "s" in "https". It's additionally daft to think that just because the page is public knowledge, a specific person reading the page is never sensitive information. As a blunt example, Wikipedia is obviously public knowledge. If you are a Chinese national reading https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests... then the CCP might like to know your location.
nabogh
"Like the team that decided I need to pay $150 a year to sign software to put in the app store, or whatever jerk put RFID tags on the water filters in my fridge like a sort of drinking rights management. Good technologists should be interested in cryptography and the power it brings, but also be careful about what they might set into motion."
jbmsf
I laughed hard at the IV part.
miladyincontrol
I know its a bit beyond the core points but the whole plaintext Client Hello assumption is so 2024, I've been using ECH in production for almost a year now on a number of webservers.
adrian_b
While the title may be misleading, this is an excellent discussion of the security problems of HTTPS. Of his complaints about misguided security, this one has resonated the most with my experience: "Regarding my new enemy, ... • The absolute shits that have locked down corporate computers with the assumption that the user can’t have a legitimate reason to change settings on it, put in a USB stick, use the command line, run an “untrusted” application like emacs or something that I just wrote and compiled myself, or basically any application other than a web browser, even if that user has been programming for 40 years and has a Ph.D. in computer science and was hired for that very experience." The result of being given this kind of corporate laptops is that I have never done any kind of work on them, but I have kept them open on my desk just for reading my e-mail messages in Exchange, or for using Teams and the like, while doing all the work that I had to do on my own device, over which I had the control needed for productive work.