Blog
June 2023
The Story Behind Last Week's Let's Encrypt Downtime
The Difference Between Root Certificate Authorities, Intermediates, and Resellers
January 2023
The SSL Certificate Issuer Field is a Lie
whoarethey: Determine Who Can Log In to an SSH Server
December 2022
No, Google Did Not Hike the Price of a .dev Domain from $12 to $850
Checking if a Certificate is Revoked: How Hard Can It Be?
May 2022
Parsing a TLS Client Hello with Go's cryptobyte Package
April 2022
How I'm Using SNI Proxying and IPv6 to Share Port 443 Between Webapps
January 2022
Comcast Shot Themselves in the Foot with MTA-STS
November 2021
It's Now Possible To Sign Arbitrary Data With Your SSH Keys
July 2021
How Certificate Transparency Logs Fail and Why It's OK
December 2020
Security Vulnerabilities in Smallstep PKI Software
November 2020
The Lengths People Go To Just To Avoid DNSSEC
June 2020
Writing an SNI Proxy in 115 Lines of Go
Security Review of CFSSL Signer Code
May 2020
Fixing the Breakage from the AddTrust External CA Root Expiration
February 2020
Short Take: Why Trust-On-First-Use Doesn't Work (Even for SSH)
When Will Your DNS Record Be Published?
January 2020
This Is Why You Always Review Your Dependencies, AGPL Edition
December 2019
Preventing Server Side Request Forgery in Golang
April 2019
MTA-STS is Hard. Here's how DNS Providers Can Make it Awesome With Automation...
April 2018
Making Certificates Easier and Helping the Ecosystem: Four Years of SSLMate
March 2018
These Three Companies Are Doing the Internet a Solid By Running Certificate Transparency Logs
January 2018
Google's Certificate Revocation Server Is Down - What Does It Mean?
How will Certificate Transparency Logs be Audited in Practice?
September 2017
Why Man-in-the-Middle Detection is Overrated
January 2017
Thoughts on the Systemd Root Exploit
October 2016
Systemd is not Magic Security Dust
September 2016
How to Crash Systemd in One Tweet
February 2016
Domain Validation Vulnerability in Symantec Certificate Authority
December 2015
Duplicate Signature Key Selection Attack in Let's Encrypt
October 2015
I Don't Accept the Risk of SHA-1
August 2015
March 2015
How to Responsibly Publish a Misissued SSL Certificate
October 2014
Renewing an SSL Certificate Without Even Logging in to My Server
September 2014
CloudFlare: SSL Added and Removed Here :-)
SHA-1 Certificate Deprecation: No Easy Answers
August 2014
July 2014
LibreSSL's PRNG is Unsafe on Linux [Update: LibreSSL fork fix]
June 2014
xbox.com IPv6 Broken, Buggy DNS to Blame
Titus Isolation Techniques, Continued
May 2014
Protecting the OpenSSL Private Key in a Separate Process
April 2014
Responding to Heartbleed: A script to rekey SSL certs en masse
December 2013
The Sorry State of Xpdf in Debian
October 2013
Verisign's Broken Name Servers Slow Down HTTPS for Google and Others
July 2013
ICMP Redirect Attacks in the Wild
March 2013
GCC's Implementation of basic_istream::ignore() is Broken
Why Do Hackers Love Namecheap and Hate Name.com?
February 2013
Easily Running FUSE in an Isolated Mount Namespace
December 2012
Insecure and Inconvenient: Gmail's Broken Certificate Validation
November 2012
Beware the IPv6 DAD Race Condition
Working Around the HE/Cogent IPv6 Peering Dispute
Security Pitfalls of setgid Programs