So, it seems like the official snapper website, snapper[.]io, is still http-only.
As you likely know, http-only allows bad actors to trivially inject malicious content into any web page served like this.
Why this is so bad right now: So far, in 2026, we've found out that all iOS devices too old to upgrade to iOS 26 are now permanently vulnerable to an attack that only requires a user to view some text on a webpage.
Also, we have seen the mass deployment of AI Agents in many forms across orgs, and among users; and the primary security issue with AI as a whole is dangerous text from websites and users getting fed into their input context. Many of them also do not have special handling for http-only content, unlike modern browsers that at least warn users of the danger (though, most choose to ignore it).
It would not be unreasonable to assume that a link provided in the official documentation for a major tool like this should be trusted. However, that is unfortunately not currently the case.
This link is included, by default, on millions of Linux systems worldwide (SUSE Enterprise, OpenSUSE, CachyOS, etc.), and hundreds of millions more are exposed via the package available in their secure repos (and even in the package metadata, because it's the homepage!).
I assume the issue is likely because no one is quite sure where the site credentials are, or perhaps they assume the problem has already been resolved.
Note: I am waxing poetic on this matter because it has been reported and discussed more than a dozen times since the first reported 9 years ago. However, all of those conversations fizzled out, and early last year, they were all erroneously closed as "COMPLETED", which is not at all the case.
I implore you: this is a real issue, with real world consequences, waiting as a landmine on many millions of computers. It deserves to be taken seriously. Please track down whoever has the site credentials stashed away, and add https support to the site. 🙏
So, it seems like the official snapper website, snapper[.]io, is still http-only.
As you likely know, http-only allows bad actors to trivially inject malicious content into any web page served like this.
Why this is so bad right now: So far, in 2026, we've found out that all iOS devices too old to upgrade to iOS 26 are now permanently vulnerable to an attack that only requires a user to view some text on a webpage.
Also, we have seen the mass deployment of AI Agents in many forms across orgs, and among users; and the primary security issue with AI as a whole is dangerous text from websites and users getting fed into their input context. Many of them also do not have special handling for http-only content, unlike modern browsers that at least warn users of the danger (though, most choose to ignore it).
It would not be unreasonable to assume that a link provided in the official documentation for a major tool like this should be trusted. However, that is unfortunately not currently the case.
This link is included, by default, on millions of Linux systems worldwide (SUSE Enterprise, OpenSUSE, CachyOS, etc.), and hundreds of millions more are exposed via the package available in their secure repos (and even in the package metadata, because it's the homepage!).
I assume the issue is likely because no one is quite sure where the site credentials are, or perhaps they assume the problem has already been resolved.
Note: I am waxing poetic on this matter because it has been reported and discussed more than a dozen times since the first reported 9 years ago. However, all of those conversations fizzled out, and early last year, they were all erroneously closed as "COMPLETED", which is not at all the case.
I implore you: this is a real issue, with real world consequences, waiting as a landmine on many millions of computers. It deserves to be taken seriously. Please track down whoever has the site credentials stashed away, and add https support to the site. 🙏