Skip to Content [alt-c]


June 2023

The Story Behind Last Week's Let's Encrypt Downtime

The Difference Between Root Certificate Authorities, Intermediates, and Resellers

January 2023

The SSL Certificate Issuer Field is a Lie

whoarethey: Determine Who Can Log In to an SSH Server

December 2022

No, Google Did Not Hike the Price of a .dev Domain from $12 to $850

Checking if a Certificate is Revoked: How Hard Can It Be?

May 2022

Parsing a TLS Client Hello with Go's cryptobyte Package

April 2022

How I'm Using SNI Proxying and IPv6 to Share Port 443 Between Webapps

January 2022

Comcast Shot Themselves in the Foot with MTA-STS

November 2021

It's Now Possible To Sign Arbitrary Data With Your SSH Keys

July 2021

How Certificate Transparency Logs Fail and Why It's OK

December 2020

Security Vulnerabilities in Smallstep PKI Software

November 2020

The Lengths People Go To Just To Avoid DNSSEC

June 2020

Writing an SNI Proxy in 115 Lines of Go

Security Review of CFSSL Signer Code

May 2020

Fixing the Breakage from the AddTrust External CA Root Expiration

February 2020

Short Take: Why Trust-On-First-Use Doesn't Work (Even for SSH)

When Will Your DNS Record Be Published?

January 2020

This Is Why You Always Review Your Dependencies, AGPL Edition

December 2019

Preventing Server Side Request Forgery in Golang

Programmatically Accessing Your Customers' Google Cloud Accounts (While Avoiding the Confused Deputy Problem)

April 2019

MTA-STS is Hard. Here's how DNS Providers Can Make it Awesome With Automation...

April 2018

Making Certificates Easier and Helping the Ecosystem: Four Years of SSLMate

March 2018

These Three Companies Are Doing the Internet a Solid By Running Certificate Transparency Logs

January 2018

Google's Certificate Revocation Server Is Down - What Does It Mean?

How will Certificate Transparency Logs be Audited in Practice?

September 2017

Why Man-in-the-Middle Detection is Overrated

January 2017

Thoughts on the Systemd Root Exploit

October 2016

Systemd is not Magic Security Dust

September 2016

How to Crash Systemd in One Tweet

February 2016

Domain Validation Vulnerability in Symantec Certificate Authority

December 2015

Duplicate Signature Key Selection Attack in Let's Encrypt

October 2015

I Don't Accept the Risk of SHA-1

August 2015

Hardening OpenVPN for DEF CON

March 2015

How to Responsibly Publish a Misissued SSL Certificate

October 2014

Renewing an SSL Certificate Without Even Logging in to My Server

September 2014

CloudFlare: SSL Added and Removed Here :-)

SHA-1 Certificate Deprecation: No Easy Answers

August 2014

STARTTLS Considered Harmful

July 2014

LibreSSL's PRNG is Unsafe on Linux [Update: LibreSSL fork fix]

June 2014 IPv6 Broken, Buggy DNS to Blame

Titus Isolation Techniques, Continued

May 2014

Protecting the OpenSSL Private Key in a Separate Process

April 2014

Responding to Heartbleed: A script to rekey SSL certs en masse

December 2013

The Sorry State of Xpdf in Debian

October 2013

Verisign's Broken Name Servers Slow Down HTTPS for Google and Others

July 2013

ICMP Redirect Attacks in the Wild

March 2013

Running a Robust NTP Daemon

GCC's Implementation of basic_istream::ignore() is Broken

Why Do Hackers Love Namecheap and Hate

February 2013

Easily Running FUSE in an Isolated Mount Namespace

December 2012

Insecure and Inconvenient: Gmail's Broken Certificate Validation

November 2012

Beware the IPv6 DAD Race Condition

Working Around the HE/Cogent IPv6 Peering Dispute

Security Pitfalls of setgid Programs

How FUSE Can Break Rsync Backups

Remote SSH Commands and Broken Connections