Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves. There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. There's few g...
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important. It's also remarkably complicated and confusing. Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...
Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web. This is going to be a huge opportunity to invest in ex...
Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. This is bad! This package is used for PAC file suppor...
Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact. In practice, this poses a risk to anybody making TLS conne...
There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5). I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems. That is worth ...
Once upon a time, loading common scripts & styles from a public CDN like cdnjs or Google's Hosted Libraries was a 'best practice' - a great way to instantly speed up your page loads, optimize caching, and reduce costs. Nowadays, it's become a recipe for security, privacy & stability problems, with near-zero benefit. Just last week, a security resea...
Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests. This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to direct...
HTTP content encoding is an incredibly powerful tool that can save you huge amounts of bandwidth and make your web or mobile application faster, basically for free. Unfortunately, it's poorly understood by most developers. There's a lot of power here, but few people are aware of the options or what "content encoding" really means, so it's mostly le...
Looks like there's an OpenSSL fork with ECH already implemented on top of this - just as a PoC for now - b...
Looks like there's an OpenSSL fork with ECH already implemented on top of this - just as a PoC for now - b...
ECH is going to be a big jump forward for privacy, and against domain-based network blocking (along with DNS-o...
ECH is going to be a big jump forward for privacy, and against domain-based network blocking (along with DNS-o...
OpenSSL just merged https://github.com/openssl/openssl/pull/17172 which implements HPKE, which is most notably...
OpenSSL just merged https://github.com/openssl/openssl/pull/17172 which implements HPKE, which is most notably...
Support directly generating Postman Collections JSON
Took a good look at self-hosting #Gotosocial to run my own little corner of the #Fediverse over the weekend.Ea...
Took a good look at self-hosting #Gotosocial to run my own little corner of the #Fediverse over the weekend.Ea...
Just finished the final wrap-up call for #NGIPointer (@EC_NGI).It's been a good year - really interesting ...
Just finished the final wrap-up call for #NGIPointer (@EC_NGI).It's been a good year - really interesting ...
Honestly it's amazing this thing hasn't gone down yet 🚀 (from https://bitcoinhackers.org/@mastodonuser...
Honestly it's amazing this thing hasn't gone down yet 🚀 (from https://bitcoinhackers.org/@mastodonuser...
My Twitter archive has been stuck 'processing' for 3 days now 😬
My Twitter archive has been stuck 'processing' for 3 days now 😬
I've been waiting literally forever for https://Frame.Work to start shipping laptops in Spain to replace m...
I've been waiting literally forever for https://Frame.Work to start shipping laptops in Spain to replace m...
The exodus to Mastodon & the Fediverse has bumped the number of registered .social domains by 10% in just ...
The exodus to Mastodon & the Fediverse has bumped the number of registered .social domains by 10% in just ...
For bonus fun, I'm doing this purely over HTTP, with the Docker engine API, and generating & streaming...
For bonus fun, I'm doing this purely over HTTP, with the Docker engine API, and generating & streaming...
Define an entirely empty image:FROM scratchENTRYPOINT ["FAIL"]Build & create a container from th...
Define an entirely empty image:FROM scratchENTRYPOINT ["FAIL"]Build & create a container from th...
Playing silly games with Docker...How can you write directly to a Docker volume from the host, in a way that w...
Playing silly games with Docker...How can you write directly to a Docker volume from the host, in a way that w...
Going to wrap this all up and create a little multi-server toy Fediverse anybody can run (and intercept & ...
Going to wrap this all up and create a little multi-server toy Fediverse anybody can run (and intercept & ...
Looking under the hood of the Fediverse!I've now got a working setup with Mastodon + Docker + HTTP Toolkit...
Looking under the hood of the Fediverse!I've now got a working setup with Mastodon + Docker + HTTP Toolkit...
They're taking feedback on the proposal via https://ec.europa.eu/info/law/better-regulation/have-your-say/...
They're taking feedback on the proposal via https://ec.europa.eu/info/law/better-regulation/have-your-say/...
Of course, I'm absolutely on board with improving cybersecurity around key infra, but the collateral damag...
Of course, I'm absolutely on board with improving cybersecurity around key infra, but the collateral damag...
That seems obviously absurd, and yet the proposed legislation is quite clear about it!Any commercial activity ...
That seems obviously absurd, and yet the proposed legislation is quite clear about it!Any commercial activity ...
My understanding is that this strongly implies if you are e.g. regularly receiving $10/month on GitHub sponsor...
My understanding is that this strongly implies if you are e.g. regularly receiving $10/month on GitHub sponsor...
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ is terrifying!This appears to effe...
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ is terrifying!This appears to effe...
Answer by Tim Perry for Spotify gives corrupted data in HTTP Toolkit
This data is not corrupted, it's just not in the format you want. You can see the format by looking at the con...
Comment by Tim Perry on raw decoder for protobufs format
This doesn't seem to be available any more :-(
Also, anybody tried Pleroma, or other alternatives, that might be more lightweight to make self-hosting cheape...
Also, anybody tried Pleroma, or other alternatives, that might be more lightweight to make self-hosting cheape...
Answer by Tim Perry for Proxying connections from a set-top box
There's a few ways to capture local network traffic like this, including ARP Spoofing (where you send fake ARP...