Watch A Web Page Fetch Itself Over TLS, Complete With Commentary

TLS, byte by byte performs an unusual and interesting function: it fetches itself over HTTPS, and provides a complete annotation of what’s going on in the process, one byte at a time. Visit the site and give the button a click to watch it happen, it’s neat!

Transport Layer Security (TLS) is what’s responsible for encrypting traffic over the internet, and it’s normally implemented on top of TCP to encrypt an application-layer protocol like HTTP (resulting in HTTPS and the little padlock icon in browsers indicating a connection with a web site is encrypted.) Back in the day, traffic over the internet was commonly unencrypted, but nowadays no communication or hardware is too humble for encryption and methods are easily accessible.

So for what purpose would someone actually need or use such an implementation of TLS? Well, probably no one actually needs it. But it is a userspace TLS implementation in javascript that may fit a niche for someone, and it certainly provides beautifully-indented and annotated binary data in the process. Sound up your alley? The GitHub repository for the project has all the details, so give it a look.

12 thoughts on “Watch A Web Page Fetch Itself Over TLS, Complete With Commentary

  1. And now we do this crazy handshake for all the every photo we transfer and other nonsense social media yadayada we do not protect at all and waste energy around the globe. I wonder how much pollution HTTPS causes each day.

    Just because 0.01% of traffic actually needs encryption.

    FFS.

    1. The thing is, if you only encrypt the important traffic you are marking it as worthy of attention to a bad actor. For this reason some high security diplomatic circuits carry encrypted traffic for commercial carriers to make the significant messages hard to discover. I believe David Kahn mentions this technique in his book ‘The Codebreakers’.

      That said, I find the tendency to encrypt everything annoying on occasions when deep diving IP traffic.

    2. HTTPS prevents MitM attacks (Man in the Middle) and it protects your privacy. With such an attack even hacking simple websites could in the end lead to big trouble and loss of money or confidential info. Luckily computers have become very efficient at doing TLS, to prevent energy waste it’s better to stop bitcoin etc.

      1. Yet it isn’t. Cisco Umbrella “security” product does this all the time. How else they could sniff what you are browsing through?

        I reclaim: 0.01% of our traffic actually needs to be encrypted or protected.

        1. TLS Intercept in Cisco Umbrella’s “Intelligent Proxy” function (enabled with a Secure Internet Gateway SKU) requires client machines to trust the Cisco Umbrella root certificate.
          While admins can auto-deploy that for certain browsers, without it, Umbrella can only block/permit traffic based on the domain names and (if the client/agent is installed) client applications involved.

          Having said that, I don’t necessarily disagree with your assertion about HTTPS for everything under the sun. I’ve worked in infosec for 25 years and would rather my org’s activity be broadly encrypted than not, even when it may not always make sense to do so.

    3. (Second attempt, so this might appear twice).

      If you only encrypt important messages you are flagging them to third party bad actors as being worthy of attention. Some diplomatic secure circuits used to carry commercial traffic as fillers so that the important messages would be ‘lost in the noise’. I believe this technique was described in David Kahn’s book ‘The Codebreakers’.

    4. We need to encrypt all and everything to make the live for TLA and other actors like the big G… as hard as possible. I don’t want ANYBODY to know which article i am reading on an online news site or Wikipedia and so on, even if the *content* of the article(s) are public!

      FFS.

        1. The cookies are a different kind of thing, i know about them (and Javascript from G… and others and so on) and how to fight them. I was thinking about the HTTP GET requests, if the traffic is not encrypted “everybody” (who has access to the/your internet traffic) can see exactly what you are looking for on a website. If it is encrypted it is only possible to see “He is going to HaD” but all the GET request and all the data is encrypted.
          BTW, don’t use 8.8.8.8 (Google DNS). They can not see the details but knowing you are going to $some_website is more than enough / too much data to be logged already. There are alternatives.

    5. I too want to live in a surveillance state where anyone and everyone can see everything I do. I want to be surveilled by government actors, advertisers, and political entities. I want to be datamined by everybody even harder than I already am. I think we should get rid of passwords too.

      I’m going to multiply your percentage by 1000 to give you a fighting chance. Can you explain why you think only 10% of traffic should be encrypted? The silicon we use every day has cryptographic acceleration built into the die, even a mid range CPU from 5 years ago can tear through 3,000MB of AES256 per second per CPU core!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.