alt.hn

4/13/2026 at 11:45:00 PM

Tom7: No one can force me to have a secure website [video]

 https://www.youtube.com/watch?v=M1si1y5lvkk

by Audiophilip

4/14/2026 at 2:47:38 AM

Tom appears to have totally missed SSLStrip.

Before browsers screamed bloody murder over http, a MITM could defeat SSL by acting as the SSL endpoint and forwarding everything as plain http. And back then, the only indication was lack of a 16px lock icon and a missing "s" in "https".

It's additionally daft to think that just because the page is public knowledge, a specific person reading the page is never sensitive information. As a blunt example, Wikipedia is obviously public knowledge. If you are a Chinese national reading https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests... then the CCP might like to know your location.

by toaste_

4/14/2026 at 5:31:04 AM

Indeed, this is something not discussed in an otherwise very good article.

As explained in the article, using HTTPS provides very little protection against whoever operates the site to which you are connecting, who might still not be who you think they are, despite accepted certificates.

Nevertheless, using HTTPS, especially when not transmitting any non-encrypted information, like the name of the site for which the connection is requested, protects you from those third parties who are not able to intercept your outgoing connections and act as middlemen, but who might still monitor your traffic and attempt to record it or to interfere with it.

by adrian_b

4/14/2026 at 2:16:03 PM

Privacy and security are not synonymous. Though it would have been nice to have the ideas discussed in the video.

by bitbasher

4/14/2026 at 3:48:37 AM

I know its a bit beyond the core points but the whole plaintext Client Hello assumption is so 2024, I've been using ECH in production for almost a year now on a number of webservers.

by miladyincontrol

4/14/2026 at 3:21:33 AM

"Like the team that decided I need to pay $150 a year to sign software to put in the app store, or whatever jerk put RFID tags on the water filters in my fridge like a sort of drinking rights management. Good technologists should be interested in cryptography and the power it brings, but also be careful about what they might set into motion."

by nabogh

4/14/2026 at 5:02:14 AM

While the title may be misleading, this is an excellent discussion of the security problems of HTTPS.

Of his complaints about misguided security, this one has resonated the most with my experience:

"Regarding my new enemy, ...

• The absolute shits that have locked down corporate computers with the assumption that the user can’t have a legitimate reason to change settings on it, put in a USB stick, use the command line, run an “untrusted” application like emacs or something that I just wrote and compiled myself, or basically any application other than a web browser, even if that user has been programming for 40 years and has a Ph.D. in computer science and was hired for that very experience."

The result of being given this kind of corporate laptops is that I have never done any kind of work on them, but I have kept them open on my desk just for reading my e-mail messages in Exchange, or for using Teams and the like, while doing all the work that I had to do on my own device, over which I had the control needed for productive work.

by adrian_b

4/14/2026 at 2:02:56 AM

Was fortunate enough to see this presented live at SIGBOVIK this year!

by Evidlo

4/14/2026 at 1:31:54 AM

Hear, hear! I honestly think the obsession with cryptography and security has caused us to lose much of what is simply fun about technology. We have grown so used to the assumption that everyone involved is a corporate player and that fools must be kept insulated that we have left no room for play.

by MrEldritch

4/14/2026 at 3:28:59 AM

I laughed hard at the IV part.

by jbmsf