I’ve been saying “For Teh Securitah!” to describe/mock this phenomenon since at least 2017, when Firefox 57 came out and dropped support for a large percentage of its extension ecosystem.

But a youtuber named suckerpunch / tom7 has come up with a label for it, which I absolutely adore:

“Toxic Max Security”

I hope it catches on just like “enshittification” has. Let’s make that happen.

I have two videos I’d like to share today. First is suckerpinch’s latest masterpiece of hackery, where he coins this term while a) totally undermining SSL and b) ensuring his website still has the green padlock (because a green padlock is what’s important, you see):

(aside: suckerpinch has a few really great videos. I’ve been watching his stuff for ages. I especially recommend the “reverse emulating the NES” one)

…Which reminded me of this talk I watched a while back, which goes over a bunch of examples of Toxic Max Security and some of the problems caused by this dogma:

(This video also contains one of the sickest burns of all time, at ~20:41: “Rust was intented to be used to win arguments against C, whereas C was intended to produce software”)

And here are a couple of my pet peeves, antipatterns, and anecdotes around Toxic Max Security, in no particular order:

• Software refusing to do things like connect to servers which only support old versions of encryption protocols / keys / etc, sometimes with no “proceed anyway” button. I’ve seen this in a few places, including in places where you’d expect the devs to know better, like ssh (which does have an option to enable older protocols, but it’s hidden in a config file rather than “do you want to proceed anyway (y/N)?”).

  It is an antipattern when software developers assume they know better than users what the risks are and whether they’re OK to accept. It’s not a problem to use an old encryption protocol if I’m connecting to the machine over a LAN or VPN and it’s not publicly accessible

• Making up vague fearmongering “for teh securitah” excuses because you want to deprecate something that’s no longer shiny

• Here’s a great example of a toxic-max-security-bro chastising me for the crime of running software that’s three whole years old :gasp:. He proceeds to label it “very dangerous” and tells me that there are “there are at least five actively exploited vulnerabilities in the chromium engine that you’re vulnerable to”.

  It may be worth noting that this is after I have already said that I’ve looked at the CVE list and determined that none of them affect me.

  In the message after the one I linked to, you’ll see that I ask for more detail than none at all on exactly why/how it’s “very dangerous”, and pointing out that I’ve looked at the CVE list but didn’t see any that affect me, but conceding that maybe I missed something.

  And if you scroll down to the message after that, you’ll see that rather than respond to my questions asking for >0 detail on what exactly is “very dangerous”, the person who made that claim simply labels my request for >0 information as “the boring parts” of my message, moves on, and makes no attempt whatsoever to respond to my questions.

  For extra bonus points, if you keep reading, you’ll note that finally he deigns to actually investigate the issue because his fearmongering didn’t work, and quickly determines that the issue had nothing to do with my criminal browser version, but was actually with the user agent switcher extension I was using (and which I mentioned that I use in my second message, because I thought it might be the problem). Upgrading my browser would not have solved the issue, and once they bothered to actually investigate, the anubis people realised that there was an issue with the way they were doing things, and made a change to accommodate this situation. The whole “Very dangerous” thing that took up what felt like 700 messages and garnered me like a hundred “thumbs down” emojis? Completely unrelated to the issue I raised, instead it was a thing I mentioned in my second message that was ignored because “Teh Securitah!”.

  Using “teh securitah!” as a catch-all panacea to create busy-work for users and to avoid investigating issues is an antipattern.

  (For the record, the actual maintainer/owner of anubis, Xe, was very nice, and did not engage in this conduct – It’s not everyone, just most of the cargo cult)

• I hereby refer you to every single post ever written anywhere ever making a case for switching to the broken, beta-quality, hilariously late, incompatible mess that is wayland. [1] [2] [3] [4]
• And while I was looking through my history for examples of the above, I found this fun regurgitation of toxic max security mantra. This got me thinking, and I don’t think I’ve ever seen one of these people actually respond when challenged. If I give people the benefit of the doubt, I think it’s mostly just the cargo cult culture which is rife in the industry, but in my more cynical moments I think it’s something more intentional.

Share Tom’s video! And for a more serious approach, share Eskil’s talk! Let’s see if we can get “Toxic Max Security” into the lexicon, like it deserves to be!