Skip to Content [alt-c]

Blog

December 2019

Programmatically Accessing Your Customers' Google Cloud Accounts (While Avoiding the Confused Deputy Problem)

April 2019

MTA-STS is Hard. Here's how DNS Providers Can Make it Awesome With Automation...

April 2018

Making Certificates Easier and Helping the Ecosystem: Four Years of SSLMate

March 2018

These Three Companies Are Doing the Internet a Solid By Running Certificate Transparency Logs

January 2018

Google's Certificate Revocation Server Is Down - What Does It Mean?

How will Certificate Transparency Logs be Audited in Practice?

September 2017

Why Man-in-the-Middle Detection is Overrated

January 2017

Thoughts on the Systemd Root Exploit

October 2016

Systemd is not Magic Security Dust

September 2016

How to Crash Systemd in One Tweet

February 2016

Domain Validation Vulnerability in Symantec Certificate Authority

December 2015

Duplicate Signature Key Selection Attack in Let's Encrypt

October 2015

I Don't Accept the Risk of SHA-1

August 2015

Hardening OpenVPN for DEF CON

March 2015

How to Responsibly Publish a Misissued SSL Certificate

October 2014

Renewing an SSL Certificate Without Even Logging in to My Server

September 2014

CloudFlare: SSL Added and Removed Here :-)

SHA-1 Certificate Deprecation: No Easy Answers

August 2014

STARTTLS Considered Harmful

July 2014

LibreSSL's PRNG is Unsafe on Linux [Update: LibreSSL fork fix]

June 2014

xbox.com IPv6 Broken, Buggy DNS to Blame

Titus Isolation Techniques, Continued

May 2014

Protecting the OpenSSL Private Key in a Separate Process

April 2014

Responding to Heartbleed: A script to rekey SSL certs en masse

December 2013

The Sorry State of Xpdf in Debian

October 2013

Verisign's Broken Name Servers Slow Down HTTPS for Google and Others

July 2013

ICMP Redirect Attacks in the Wild

March 2013

Running a Robust NTP Daemon

GCC's Implementation of basic_istream::ignore() is Broken

Why Do Hackers Love Namecheap and Hate Name.com?

February 2013

Easily Running FUSE in an Isolated Mount Namespace

December 2012

Insecure and Inconvenient: Gmail's Broken Certificate Validation

November 2012

Beware the IPv6 DAD Race Condition

Working Around the HE/Cogent IPv6 Peering Dispute

Security Pitfalls of setgid Programs

How FUSE Can Break Rsync Backups

Remote SSH Commands and Broken Connections