In Pittsburgh, Marlinspike uncovered an Internet vulnerability that affected nearly every popular browser. It enabled malicious actors to mount what is called a “man-in-the-middle attack”—a type of exploit in which the attacker can view and potentially alter communications between two parties and siphon data, such as log-in credentials, without detection. In 2009, Marlinspike presented the vulnerability at Black Hat D.C., an annual security conference in Washington. He took the opportunity to politely criticize the keynote speaker, Paul Kurtz, a homeland-security expert who had served under Presidents Bill Clinton and George W. Bush, and who had spoken about the need for the U.S. to take “leadership in cyberspace,” arguing for collaboration among the N.S.A., law enforcement, and private industry. “You know,” Marlinspike said during his presentation, “ten years ago, I feel like we would have been talking about protecting our communications from the state and the cops—not centralizing them in the hands of the state and the cops.” He paused. “So I think a lot has changed.” At the end of his talk, he released a new tool, SSLstrip, that automatically mounted man-in-the-middle attacks using the vulnerability he had discovered. SSLstrip elevated Marlinspike to expert status. These days, according to Dan Boneh, a cryptographer and a professor at Stanford, the practice of exposing vulnerabilities so that they can be fixed by other engineers, as SSLstrip has done, is “the bread and butter of computer security.” Boneh, who teaches SSLstrip to his undergraduate students, told me, “It changed how browsers work. His attack caused the Web to change.”