Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves. There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. There's few g...
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important. It's also remarkably complicated and confusing. Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...
Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web. This is going to be a huge opportunity to invest in ex...
Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. This is bad! This package is used for PAC file suppor...
Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact. In practice, this poses a risk to anybody making TLS conne...
There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5). I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems. That is worth ...
Clarify rule logic, grouping & management
How to correctly read a string value from an outer scope within an async closure for Hyper in Rust
I'm trying to learn Rust, and trying to write some extremely simple web server code to do so. I thought I had ...
Comment by Tim Perry on How to correctly read a string value from an outer scope within an async closure for Hyper in Rust
That change all sounds sensible, but the code still has the same issue: the trait From> is not implemented for...
Comment by Tim Perry on How to correctly read a string value from an outer scope within an async closure for Hyper in Rust
No idea I'm afraid! In my case I get the trait From> is not implemented for Body unless I use Arc::clone(&mess...
Comment by Tim Perry on How to correctly read a string value from an outer scope within an async closure for Hyper in Rust
Phew, thank you, that's extremely helpful! There was still one tiny bug here, as the inner-most Arc::clone(&me...
Comment by Tim Perry on How to correctly read a string value from an outer scope within an async closure for Hyper in Rust
@ChayimFriedman, ok that's a useful clue! I've tried 10s of different ways though, I'm just very much out of m...
Support interception of Windows containers
Expose raw header data
Delightful gift arrived this morning from the https://tidelift.com team! Great to see their support for open-s...
Delightful gift arrived this morning from the https://tidelift.com team! Great to see their support for open-s...
Return promises from methods if no callback is provided
But no! This time it's $65/year, a couple of doc scans, a selfie with my passport, and done in less than 6...
But no! This time it's $65/year, a couple of doc scans, a selfie with my passport, and done in less than 6...
Anyway, I'm ranting.End result: it was a massive pain, and the certs only last 3 years max, and that expir...
Anyway, I'm ranting.End result: it was a massive pain, and the certs only last 3 years max, and that expir...
And to be clear, it's not like Spain doesn't have proper ways to do id checks - every person & bus...
And to be clear, it's not like Spain doesn't have proper ways to do id checks - every person & bus...
Fortunately I was motivated, because until that was done, I literally couldn't ship software! What fun.It&...
Fortunately I was motivated, because until that was done, I literally couldn't ship software! What fun.It&...
Last time with Sectigo, it took 2 full weeks of daily hassle, required publishing my address & phone no in...
Last time with Sectigo, it took 2 full weeks of daily hassle, required publishing my address & phone no in...
That's just where the fun begins though. Once you've paid, you need to get verified.If you're a Fo...
That's just where the fun begins though. Once you've paid, you need to get verified.If you're a Fo...
$539 every year! For a digital certificate, that's really just a tiny autogenerated file.If you're est...
$539 every year! For a digital certificate, that's really just a tiny autogenerated file.If you're est...
Only a tiny set of CAs can issue Authenticode certs, and unlike web TLS, it's not domain verified, it'...
Only a tiny set of CAs can issue Authenticode certs, and unlike web TLS, it's not domain verified, it'...
On Windows, if you ship a program that's not signed by an Authenticode cert, every user gets a massive war...
On Windows, if you ship a program that's not signed by an Authenticode cert, every user gets a massive war...
They're not paying me or anything, it's just I just can't believe the difference.If you've nev...
They're not paying me or anything, it's just I just can't believe the difference.If you've nev...
I've repeatedly struggled through code signing cert setup, with both Digicert & Sectigo being huge pai...
I've repeatedly struggled through code signing cert setup, with both Digicert & Sectigo being huge pai...
Comment by Tim Perry on How can I debug a HTTP POST in Chrome?
It is 100% open-source. All source for everything is in the repos at github.com/httptoolkit under a mix of AGP...
Autogenerate OpenAPI/Swagger specs from intercepted traffic
Based in Paris right now, with options for a failover DC in Warsaw/Amsterdam.Would be a latency issue for the ...
Based in Paris right now, with options for a failover DC in Warsaw/Amsterdam.Would be a latency issue for the ...