new Merkle Tree Cert only Chrome Quantum Root Store: security.googleblog.com/2026/02/cult...

None of you are giving me enough credit for not participating on the TLS working group mailing list. You're welcome. Everything I don't do, I don't do it for you.

Who up losing they minds on this site?

NEW EPISODE! The maintainers of py/cryptography declared that after many years of trying to make it work, they would be moving away from OpenSSL when supporting new functionality and exploring adding other backends: securitycryptographywhatever.com/2026/02/01/p... www.youtube.com/watch?v=dEKB...

Thinking about Curt Cignetti.

I cannot get over how impressive it is what Curt Cignetti accomplished at Indiana

Indiana shall light this holy ring, release its cleansing flame, and burn a path into the divine beyond!

This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured. If your certificate strategy still assumes stable names and year-long validity, it is already behind reality. letsencrypt.org/2026/01/15/6...

repent! for the day of sixteen windiana shall be upon us!

Final SCW of 2025! We had Matt Bernhard on to talk about cryptographic voting systems, in the wake of the IACR election. (Everybody I voted for in the new election won! Woo!)

What a fantastic present to end the year! (swear I woke up like this) @mbernhard.com @durumcrustulum.com @sockpuppet.org @dadrian.io @scwpod.bsky.social

This Bernstein crap drives me up the wall because IT MAKES NO SENSE. Why would the NSA be picking weak crypto to protect US NatSec?! They have mathematicians and clusters in China, too! Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM.

Wonderful news! The kind of thing a lot of software folks across the world have been working to make possible. So stoked the Chrome folks are pushing us forward

It's time to make HTTPS the web's default, and reap the full security benefit from years worth of HTTPS adoption! security.googleblog.com/2025/10/http...

One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.

Iowa-Rutgers hitting the over? Trump ruined the B1G West.

New post! Stop trying to solve revocation, we already have the answer. dadrian.io/blog/posts/r...

Kirk Herbstreit is going to be the first person to make a Golden Retriever unlikable.

The bigger issue? Microsoft’s root program still trusts this CA, leaving Edge and Windows users exposed in ways Chrome, Firefox, and Safari users aren’t. The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance. 👇

If you look closely, you can see UNC’s quarterback is not Tom Brady

This game has me feeling like I'm watching Iowa play Iowa.

Sent this to a girl in California and pretty sure she thinks it’s in another language

Come for the PGP dunks, stay for the broader discussion of why encrypted email doesn’t make sense

The first part of this interview with my ex-colleague Alex is a great listen if you're a software engineer (or otherwise technical) and are interested in what we were working on as technologists at the Federal Trade Commission.

NEW EPISODE! An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted: securitycryptographywhatever.com/2025/08/22/s... www.youtube.com/watch?v=IoL3...

NEW EPISODE! We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020! youtu.be/gBoGvyvsSi4

And then there’s David.

figma balls

New episode! Come to SCWPodCon, sponsored by Teleport! www.youtube.com/watch?v=tbnh...

🫡 go blue www.michigandaily.com/opinion/edit... #a2council

pew pew pew www.youtube.com/watch?v=vtt8...

Just posted a deep dive on how Chrome integrates with Advanced Protection Mode on Android. security.googleblog.com/2025/07/adva...

Wrote some words about memory safety and JITs. Basically, there are things we want out of hardware, but it's not MTE and it still involves migrating to memory safe languages dadrian.io/blog/posts/m...

We’re not yet sure exactly what quantum computing can do yet, and that’s exactly why we need to think about post-quantum cryptography now, @durumcrustulum.com tells EFF’s Cindy Cohn and @thejasonkelley.com on the new episode of “How to Fix the Internet."

Guide for #a2council to just do things— Step 1: Ask @sstrudeau.bsky.social and @akgood.bsky.social what rules to get rid of. Step 2. Get rid of those rules.

If #a2council would have just done things, instead of wasting time with an expensive and useless comprehensive land use plan, then John U. Bacon wouldn’t be able to post boomer misinformation about it.

Still have one more slot for a sponsor for our annual Vegas event, poke @dadrian.io if you have money.

There is literally a machine that does your laundry.

More like Santa Ono! Disaster! What a bad idea!

Sophie Schmieg + ayahuasca = keymaterial.net/2025/05/23/t...

Behold my favorite weird Chrome security bug of 2025 so far! A jaw-dropping URL / omnibox spoof via ligatures, specifically the googlelogo ligature. issues.chromium.org/issues/39178...

the signatures must flow.

If you have a legitimate reason to get a publicly-trusted HTTPS certificate for a .arpa domain, speak now or forever hold your peace.

if you like Google Advanced Protection Program and run Android, get excited for Android 16: security.googleblog.com/2025/05/adva...

A Chicago Pope implies the existence of an MLA Pope and APA Pope

Ungovernable because none of your software works and you can't get anything done.

Why is the latest version of uBlock Origin Lite asking permission to access all websites now? I love uBO Lite precisely because it doesn't make me trust an extension developer with all my browser security... (Let's not re-debate MV3 unnecessarily please. Will block.)