They could offer https://thunk.coffeecode.ca with the wrong cert and you could set up a reverse proxy/tunnel from the DNS-pointed https://thunk.coffeecode.ca ... still less effort than running a full instance.