Tom7: No one can force me to have a secure website [video]

Tom appears to have totally missed SSLStrip.

Before browsers screamed bloody murder over http, a MITM could defeat SSL by acting as the SSL endpoint and forwarding everything as plain http. And back then, the only indication was lack of a 16px lock icon and a missing "s" in "https".

It's additionally daft to think that just because the page is public knowledge, a specific person reading the page is never sensitive information. As a blunt example, Wikipedia is obviously public knowledge. If you are a Chinese national reading https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests... then the CCP might like to know your location.

Link to paper: https://tom7.org/httpv/httpv.pdf

I know its a bit beyond the core points but the whole plaintext Client Hello assumption is so 2024, I've been using ECH in production for almost a year now on a number of webservers.

"Like the team that decided I need to pay $150 a year to sign software to put in the app store, or whatever jerk put RFID tags on the water filters in my fridge like a sort of drinking rights management. Good technologists should be interested in cryptography and the power it brings, but also be careful about what they might set into motion."

Of his complaints, this one has resonated the most with my experience:

"Regarding my new enemy, ...

• The absolute shits that have locked down corporate computers with the assumption that the user can’t have a legitimate reason to change settings on it, put in a USB stick, use the command line, run an “untrusted” application like emacs or something that I just wrote and compiled myself, or basically any application other than a web browser, even if that user has been programming for 40 years and has a Ph.D. in computer science and was hired for that very experience."

The result of being given this kind of corporate laptops is that I have never done any kind of work on them, but I have kept them open on my desk just for reading my e-mail messages in Exchange, or for using Teams and the like, while doing all the work that I had to do on my own device, over which I had the control needed for productive work.

Was fortunate enough to see this presented live at SIGBOVIK this year!

I laughed hard at the IV part.

Hear, hear! I honestly think the obsession with cryptography and security has caused us to lose much of what is simply fun about technology. We have grown so used to the assumption that everyone involved is a corporate player and that fools must be kept insulated that we have left no room for play.