If the "spies" really did "steal" (i.e. copy) an engine design then it seems like a good thing for the world in general. They have helped spread useful knowledge.
Sure, it's bad for the would-be rent-seekers whose plans have been threatened. Why should anyone else care about them?
> assumptions about who is responsible for data security.
The chief assumption appears to be "anyone but the browser vendors". Let us consult the article:
BeEF
This, to me, was the most impactful demo
Quite the endorsement. So what's BeEF's angle?
"...examines exploitability within the context of the one open door: the web browser."
There could hardly be a clearer expression of contempt for the browser vendors' offerings. But remember, the "open door" is nothing to do with them, it's all your fault for not serving via HTTPS.
While I don't doubt dataskydd's good intentions, their advice about referrers is a sign that we live in Clown World.
Yes, your browser's tendency to provide a referrer might well give away information you would prefer it didn't. Unfortunately for you, the browser vendors have chosen to provide browsers that do that.
In a parallel universe it would be obvious that this is a problem (among many) for the browser vendors to address. In Clown World, you are supposed to rely on each and every site providing a special response header.
Yet they have numerous defenders on this site, all the more peculiar considering those companies' collusion to avoid paying market rates to developers. The preference to be a sharecropper on their plantations is evidently strong, for no very clear reason.
And let us not forget the EU's efforts to support incumbents and deter new entrants, with their complex, vague and punitive regulations. These also receive much approval here; perhaps a fruitful field for study by some enterprising psychologists!
> To me it felt rogue since it had been generated without me knowing nor expecting it
That's understandable. Fastmail do the same, i.e. acquiring certs for their customers' domains without asking or informing, with a view to moving them to HTTPS.
The general opinion here seems to be in favour of this practice. So we can look forward to a future where your domain may publish on the web only with the permission of a CA.
Not the SSL certificate for your domain, which Fastmail will acquire with or without your prior knowledge or consent, and to which you have no access or control.
In case it's news to others, as it was to me, Fastmail routinely acquires SSL certificates for its customers' domains without their knowledge or consent.