Tom7: No one can force me to have a secure website [video]

Tom appears to have totally missed SSLStrip.

Before browsers screamed bloody murder over http, a MITM could defeat SSL by acting as the SSL endpoint and forwarding everything as plain http. And back then, the only indication was lack of a 16px lock icon and a missing "s" in "https".

It's additionally daft to think that just because the page is public knowledge, a specific person reading the page is never sensitive information. As a blunt example, Wikipedia is obviously public knowledge. If you are a Chinese national reading https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests... then the CCP might like to know your location.

I know its a bit beyond the core points but the whole plaintext Client Hello assumption is so 2024, I've been using ECH in production for almost a year now on a number of webservers.

Link to paper: https://tom7.org/httpv/httpv.pdf

Was fortunate enough to see this presented live at SIGBOVIK this year!

I laughed hard at the IV part.

"Like the team that decided I need to pay $150 a year to sign software to put in the app store, or whatever jerk put RFID tags on the water filters in my fridge like a sort of drinking rights management. Good technologists should be interested in cryptography and the power it brings, but also be careful about what they might set into motion."

Hear, hear! I honestly think the obsession with cryptography and security has caused us to lose much of what is simply fun about technology. We have grown so used to the assumption that everyone involved is a corporate player and that fools must be kept insulated that we have left no room for play.