Activity for pimterry.fyi

I'm speaking at @journalismarena.eu's Dataharvest conf in Belgium this weekend! I'll be teaching investigative journalists how to intercept, interpret & scrape mobile app network traffic, it's going to be a lot of fun 😀 Anybody else I know here attending? Would be great to meet up #dataharvest26

Staged publishing for npm! Finally 🙏 I'm only just starting to test it now, but in theory at least this + trusted publishing could very significantly tighten up the security posture for lots of packages. Would be fantastic to see the current wave of attacks slow down a bit.

I've been thinking about simonomi.dev/blog/color-c.... Whipped up a quick prototype for HTTP Toolkit's hex view - what do you think? Interesting and more useful than monochrome, or just visually noisy? See if you can guess what each file type is here - answers in the alt text 😀

Just created my first Azure account to migrate HTTP Toolkit from certs to Microsoft's new 'Artifact Signing' setup (azure.microsoft.com/en-us/produc...). The UI is eye opening... Flashback 10 years in UI, impossible navigation, endless "Please update from X"/"Did you know Y is now Z" banners, wow 😬

HTTP Toolkit is now on the @fsfe.org major donor list! fsfe.org/donate/thank... They're doing great work right now like fsfe.org/news/2026/ne... - if you're also keen on open platforms & interoperability do please donate to support them too ❤️

Damn I got this as well! Just assumed it was spam and ignored this (and the LinkedIn follow up) turns out I dodged a bullet 😅

Socket@socket.dev

🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week. socket.dev/blog/attacke...

Finally bit the bullet and bought more RAM! The rumours are true, the prices really are excruciating, more than 4x the price I paid for the other stick 18 months back 🥲

In case you want to understand your TLS clients in depth from Node.js, there's a new v2 release of read-tls-client-hello now live: github.com/httptoolkit/... Also now supported on testserver.host at testserver.host/tls/client-h..., so you can test & debug clients themselves directly.

I've been playing around with agent-powered HTTP debugging -there's a lot of potential here... Even just with minimal data, Claude gets a really good understanding of flows very quickly, amazing for exploring. A quick summary of overall traffic & state flow across ~160 requests & responses:

Do I know anybody at GitHub who can help me get HTTP Toolkit into the student pack? I'm happy to do free accounts for students, I've filled out the form a couple of times - they never reply, but students keep endlessly emailing me to ask me if it's included.

Continuing the epic battle to fix TLS fingerprinting in Node (bsky.app/profile/pimt...), I opened two more PRs this week enabling cert compression in Node (github.com/nodejs/node/...) and direct native access to OpenSSL for addons (github.com/nodejs/node/...). With that, it's basically there!

Tim Perry@pimterry.fyi

Made my 2nd PR to OpenSSL: github.com/openssl/open.... More than any other project, I feel very cautious about OpenSSL contributions - code & setup is complicated & fiddly, I'm not familiar with their patterns, and boy oh boy is it high-profile if you break it. Hopefully this is an easy one though!

Wow, I sure am glad we have such diversity in the CSS world and that AIs consider all of the options fairly, instead of hypothetically being hyper focused on any specific library.

Magic link login is fine, session expiry is fine, but for the love of god please don't do both. If you have to re-auth every week, there is little more frustrating that blocking the process waiting for an email so I can click a button, over and over and over...

This looks very exciting: endowment.dev

Everybody's favourite "save me from myself" git hook (github.com/pimterry/git...) has the first new major feature in nearly 5 years: it'll now validate and catch unintended git pushes too 😀

My AI code generation has decided it can generate an inline private key pair by itself, and I think we might be in trouble...

Being hit by my first DDOS attack right now, it's all quite exciting!!!

Just in case Shia-Hulud is making you paranoid as well, did you know you can link SSH keys to a Yubikey? ssh-keygen -t ed25519-sk -O resident -C "you@example.com" Requires a tap to confirm any git push. Even if malware steals your ssh key files, they're useless without the physical key.

These AWS & Cloudflare mega-outages are honestly embarrassing as an industry. Eugh. What are we doing??? We have so many tools & processes for ensuring reliability, but somehow two vendors can each single-handledly wipe everything out anytime.

The latest npm attacks & changes have pushed me to set up Trusted Publishing via GitHub Actions, and honestly it's actually fantastic. Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)