Security bulletin · HR-2026-061
Independent TLS Audit:
midiox.com
Observable transport-security review of the official MIDI-OX website. No exploit claims. No malware accusations. Just certificates, clocks, and the sad geometry of abandonware.
- Auditor
- Absolutely Nobody LLP
- Commissioned by
- Half Radiation LLC
- Observed
- 29 Jun 2026 UTC
- Overall grade
- F (would not SysEx)
Executive summary
MIDI-OX is legendary Windows MIDI freeware. Its official
site, midiox.com, is how thousands of synth owners still
find downloads sixteen years after the last listed release.
As of this audit, HTTPS does not work on either
www.midiox.com or midiox.com.
The server presents a TLS certificate issued for *.hostingplatform.com
that expired on 12 September 2022. Plain HTTP responds
normally. Browsers that enforce certificate validation cannot establish a trusted connection.
The downloadable utility itself was last listed as MIDI-OX 7.0.2 (17-JUN-10). The site's own footer still reads "page was last modified on 10-26-2018."
Findings
| ID | Check | Result | Severity |
|---|---|---|---|
| F-01 | TLS hostname match (www.midiox.com) |
FAIL — hostname mismatch | Critical |
| F-02 | TLS hostname match (midiox.com) |
FAIL — hostname mismatch | Critical |
| F-03 | Certificate validity window | EXPIRED 2022-09-12 | Critical |
| F-04 | Certificate subject / SAN | CN=*.hostingplatform.comSAN: *.hostingplatform.com, hostingplatform.com |
High |
| F-05 | HTTP fallback (http://www.midiox.com/) |
HTTP 200 — site loads unencrypted | High |
| F-06 | Listed software version (app.htm) |
MIDI-OX 7.0.2 — 17-JUN-10 |
Info |
| F-07 | On-page "last modified" footer | 10-26-2018 |
Info |
Certificate observed on port 443
subject: CN=*.hostingplatform.com
issuer: CN=Sectigo RSA Domain Validation Secure Server CA
O=Sectigo Limited
notAfter: 2022-09-12 23:59:59 UTC
SAN: *.hostingplatform.com, hostingplatform.com
openssl / Python ssl default context:
[SSL: CERTIFICATE_VERIFY_FAILED]
Hostname mismatch, certificate is not valid for 'www.midiox.com'Reproduce it yourself
Run these from any machine with OpenSSL or Python 3. We did not bypass browser warnings or install anything from the site.
# Should fail (expected):
curl -I https://www.midiox.com/
# Shows the wrong cert + expiry (inspect manually):
openssl s_client -connect www.midiox.com:443 -servername www.midiox.com
# Plain HTTP works:
curl -I http://www.midiox.com/app.htmWhat we are not claiming
- We did not reverse-engineer MIDI-OX binaries or allege tampering with installers.
- We are not affiliated with John O'Donnell, MIDI-OX, or midiox.com.
- Third-party mirrors (e.g. community preservation sites) are out of scope for this bulletin.
- MIDI-OX remains capable freeware on many Windows installs. This report is about the website, not the author's legacy.
Why we bothered
Vintage synth owners still route irreplaceable factory SysEx dumps through tools and download pages frozen in the Windows XP era. If the front door certificate expired four years ago and HTTPS is broken, maybe it is time for a backup utility that does not require trusting a hostname mismatch.
We build knob.monster, a browser-native SysEx librarian. No install. No expired wildcard cert from a defunct host. Compare features in our MIDI-OX write-up or read our satirical Form 10-K.