Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves. There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. There's few g...
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important. It's also remarkably complicated and confusing. Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...
Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web. This is going to be a huge opportunity to invest in ex...
Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. This is bad! This package is used for PAC file suppor...
Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact. In practice, this poses a risk to anybody making TLS conne...
There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5). I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems. That is worth ...
Once upon a time, loading common scripts & styles from a public CDN like cdnjs or Google's Hosted Libraries was a 'best practice' - a great way to instantly speed up your page loads, optimize caching, and reduce costs. Nowadays, it's become a recipe for security, privacy & stability problems, with near-zero benefit. Just last week, a security resea...
Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests. This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to direct...
HTTP content encoding is an incredibly powerful tool that can save you huge amounts of bandwidth and make your web or mobile application faster, basically for free. Unfortunately, it's poorly understood by most developers. There's a lot of power here, but few people are aware of the options or what "content encoding" really means, so it's mostly le...
Answer by Tim Perry for How to get API requests from Android mobile app (I am not it's developer)?
Do you have root access? To intercept an Android app really your only options really are root access (and chan...
Answer by Tim Perry for How can I see the entire HTTP request that's being sent by my Python application?
You can use HTTP Toolkit to do exactly this. It's especially useful if you need to do this quickly, with no co...
New repo: httptoolkit/anonymizing-reverse-proxy
Ran into a bona-fide Git bug in the wild today! There's a first.Mostly just highlights how impressive it i...
Ran into a bona-fide Git bug in the wild today! There's a first.Mostly just highlights how impressive it i...
Allow probabilistic rules
Allow simulating ongoing network connection issues
The only real issue was the speakers, which needed the commands from https://www.guyrutenberg.com/2022/06/07/p...
The only real issue was the speakers, which needed the commands from https://www.guyrutenberg.com/2022/06/07/p...
Software 95% working right OOTB with Regolith v2 (https://regolith-desktop.com/), i.e. Ubuntu + tiling WM &...
Software 95% working right OOTB with Regolith v2 (https://regolith-desktop.com/), i.e. Ubuntu + tiling WM &...
End result: it works well, keyboard feels really excellent, great build quality overall. All feels remarkably ...
End result: it works well, keyboard feels really excellent, great build quality overall. All feels remarkably ...
The hardware really feels revolutionary.Even with desktop PCs, it's not hard, but you do need to know the ...
The hardware really feels revolutionary.Even with desktop PCs, it's not hard, but you do need to know the ...
Going splendidly so far - 'DIY' took 5 minutes max, all easy and well thought through.There's some...
Going splendidly so far - 'DIY' took 5 minutes max, all easy and well thought through.There's some...
Happy (un)boxing day to me!It's finally time to replace my 5 year old Thinkpad with a shiny new DIY Framew...
Happy (un)boxing day to me!It's finally time to replace my 5 year old Thinkpad with a shiny new DIY Framew...
Ship native builds of all components for Mac M1 / ARM64
Build for Node v19
Answer by Tim Perry for Trying to Inject a JavaScript into webpage using mockttp
Mockttp aside, from this error by itself you can tell that somewhere you're trying to read X.replace for an X ...
Comment by Tim Perry on HTTP TOOLKIT - Can HTTP TOOLKIT intercept ALL network of the whole computer like Fiddler?
That's planned, but there's no specific date yet. You can add a 👍 to vote for issues to prioritize in the GitH...
Answer by Tim Perry for HTTP TOOLKIT - Can HTTP TOOLKIT intercept ALL network of the whole computer like Fiddler?
Yes, you can use it to intercept all traffic from your computer. The only difference is that unlike other buil...
Comment by Tim Perry on How to access http-toolkit packets programmatically using python?
No - it's totally possible to intercept an Android device with Mockttp, but you'll need to do the setup for th...
Answer by Tim Perry for How to access http-toolkit packets programmatically using python?
Within HTTP Toolkit itself, this isn't possible right now, but it is planned in future. You can +1 on the issu...
Looks like there's an OpenSSL fork with ECH already implemented on top of this - just as a PoC for now - b...
Looks like there's an OpenSSL fork with ECH already implemented on top of this - just as a PoC for now - b...
ECH is going to be a big jump forward for privacy, and against domain-based network blocking (along with DNS-o...
ECH is going to be a big jump forward for privacy, and against domain-based network blocking (along with DNS-o...
OpenSSL just merged https://github.com/openssl/openssl/pull/17172 which implements HPKE, which is most notably...
OpenSSL just merged https://github.com/openssl/openssl/pull/17172 which implements HPKE, which is most notably...