Have you ever needed to make sure your website has an expired or revoked certificate? No, that's not a problem people have. But we do, because CAs have to run test sites with them. I wrote a post post about this problem, and the tool that we use to host ours: letsencrypt.org/2026/04/10/t...

people are always talking about a hypothetical technologically advanced alien race ... but I always wonder, if they exist, do they also have to deal with PKI?

Earlier this year, LWN.net featured an excellent article named "Linux's missing CRL infrastructure", and today Canonical announced it will be working with me and @jbp.io over the coming weeks to start bridging the PKI infrastructure gap. discourse.ubuntu.com/t/addressing...

anyone need their horse rotated?

Firefox's telemetry has data on how many times a CA is used to successfully validate certificates. This is a pretty good measure for how "big" a CA is. The data is hard to view in Mozilla's site, so I've made a script to combine a few data sources and graph it! github.com/mcpherrinm/c...

Customers: We want a faster horse Henry Ford: Ah. In fact— Kubernetes: Let me stop you right there. What you really need is 1000 horses that die randomly

Inspired by the classic xeyes program, I made a thing: ssh teyes.fly.dev Or go install github.com/mcpherrinm/teyes@latest && teyes Give your mouse a wiggle over the terminal!

I'll be speaking at the Ontario #Cryptography Day! ontario-crypto-day.github.io Where: University of Waterloo Davis Centre (DC) 1301 and 1302 When: Friday, June 6, 2025, from 10am to approx. 4:30pm I hope anyone in the area interested in cryptography is able to attend!

OK, this is wild. In September 2023, geophysicists across the world started monitoring a very odd signal coming from the ground under them. It was picked up in the Arctic. And Antarctica. It was detected everywhere, every 90 seconds, as regular as a metronome, for *nine days*. What the HELL? 1/

A lot of Americans don't know this, but the winner of the Canadian election will be required live in a small cottage located in the backyard of the palace where the viceroy to the King of England lives. The cottage just recently got a new wifi router, which was very exciting for all Canadians.

Array indices start at 0 in C, but start at 32 in F.

Of all the things I didn’t expect to ever happen, iOS Safari actually got a certificate viewer in 18.4! webkit.org/blog/16574/w...

We've issued our first short-lived (6 day) certificate! letsencrypt.org/2025/02/20/f...

Chrome has published version 1.6 of their root store policy. Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program. TLS client cert users from public CAs may need to make changes. www.chromium.org/Home/chromiu...

Congratulations to the Firefox team for shipping CT enforcement! > Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms. groups.google.com/a/mozilla.or...

Canadian MP Charlie Angus: Our beloved Canada is under threat. The threat comes from the president of the US—a convicted felon and known predator. But the threat is also being driven by the hate algorithms of oligarchs like Elon Musk….

heads up for fans of the "ship is stuck" genre, the Manitoulin is currently stuck in icy Lake Erie just outside Buffalo www.reddit.com/r/GreatLakes...

Boatify wrapped 2024! Stats, maps, timelapses and silly stuff from my AIS receiver and webcam overlooking the Firth of Forth. (recommend viewing on a grown up computer, works on phones but not optimised for them) vessels.marinesightings.com/review/2024/

I'm speaking at #SREcon in Santa Clara this March! Come learn how Let's Encrypt issues millions of certificates with just a handful of staff and servers! www.usenix.org/conference/s...

I hear that the Ontario Government is directing Metrolinx to start investigating 'the massing link' and if it actually amounts to anything is quite impactful project for Toronto region passenger and freight

2024 update for my chart on the landscape of quantum computing: sam-jaques.appspot.com/quantum_land... Not much visible on the chart, but Google's result (the one with the recent press attention) is a pretty big deal

La Côte-Nord a connu des conditions météorologiques extrêmes ces dernières semaines. Environ 75 mm de verglas se sont accumulés sur nos lignes de transport à certains endroits et nous avons dû y dépêcher des équipes rapidement afin de déglacer les lignes.

The train livery for the return of the Ontario Northland Railway "Northlander" train. Source: news.ontario.ca/en/r...

I made a calendar where every month is also a crossword, and you can get one today! Introducing the 2025 Crossword Calendar: crosswordcal.com/products/202...

how do you all remember every UUID? I find it really hard. so I wrote them all down on every uuid dot com the list has fast search across all 2^122 values (so you can find your favorites) - hoping to add some social features like "trending UUIDs" soon!

Intel launched the Pentium processor in 1993. Unfortunately, dividing sometimes gave a slightly wrong answer, the famous FDIV bug. Replacing the faulty chips cost Intel $475 million. I reverse-engineered the circuitry and can explain the bug. 1/9

Do you use Let's Encrypt certificates? Do you use the "client auth" extended key usage with them? (I.E: Do you use Let's Encrypt as a client certificate). Chrome's root program is looking to phase out its use in roots they trust. I'd love to hear from anyone who would be affected.

Great to see more organizations sharing their use of Rustls :) www.memorysafety.org/blog/rustls-...

pardon me as I explain why Danforth is a right bastard, because this is one of my areas of intense nerdery

🧵SALT🧵 It's been snowing in the UK and the road gritters are out in force, begging the question: Have you ever wondered where that grit actually COMES from? The answer is more magical, beautiful and fascinating than you probably realised. 1/14

overheard: #homelab is where the #heartlab is

How does the new iOS inactivity reboot work? What does it protect from? I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented. naehrdine.blogspot.com/2024/11/reve...

Oh, I never posted my gotofail story on here. Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation. I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.

Today in relatable science: Gulls making a mysterious daily trip that turned out to be to a potato chip factory

More on iPhones rebooting themselves to resist cracking. www.404media.co/apple-quietl...

I swear there was the top of a mountain just there, but it disappeared. It must have pulled a sneak peak.

look at this absolute unit

The cross-sign of ISRG Root X1 by DST Root CA X3 has now expired. 
It's been 10 years in the making, but Let's Encrypt is now a fully standalone certificate authority, trusted by the vast majority of browsers and other devices 🔐

OpenSSH 9.9 has just been released. New features include support for hybrid ML-KEM X25519 post-quantum key exchange (using a formally-verified implementation), improved controls to drop and penalise unwanted connections, faster NTRUPrime key exchange code and more. www.openssh.com/releasenotes...

If you want to use an application that uses OpenSSL like nginx with RusTLS, you can use this new compatibility layer to seamlessly switch to a modern, memory-safe TLS implementation: www.memorysafety.org/blog/rustls-...

The solar eclipse that will cast a visible shadow across the U.S. on Monday is already leaving an obvious mark on hotel prices. About 300 Super 8s are within the path of solar eclipse in totality, and 100 of those were sold out for Sunday or Monday. nyti.ms/43KrUWe

Reading the timeline of the pressure campaign to convince the xz maintainer to hand over control is… awful. Merciless guilt-tripping. One lesson I’m taking from this is to be even more ruthless with blocks. Whining about maintenance? Blocked. Zero chances. research.swtch.com/xz-timeline

Extremely excited to introduce Sunlight, a Certificate Transparency log backed by object storage, based on sumdb-style tiles, and with no merge delay. It’s designed to be cheap, easy, and safe to operate, and to bring CT into the growing tlog ecosystem. sunlight.dev

NEW EPISODE! iMessage is getting a big post-quantum upgrade! Douglas Stebila joined us to talk about his security analysis of the new PQ3 protocol update and not indulge our wild Apple speculations: securitycryptographywhatever.com/2024/03/03/p... youtu.be/ogPy5XOEj3s

I’m excited to share River, a plan to build a new http reverse proxy built in Rust using Cloudflare’s pingora libraries: www.memorysafety.org/blog/introdu...

The Open Source Cryptography Workshop will be held the Thursday after #RWC, on 28 March, at the University of Toronto Chestnut Conference Center. Pre-registration is required, registration is now open, and some of the sessions are announced. See  oscwork.shop/2024/  #OSCW #OSCW2024

Later this week, Let's Encrypt will stop including the cross-sign from Identrust's Root CA in our API by default. Details in our blog post at letsencrypt.org/2023/07/10/c... If you have any questions, happy to answer them over on our Community forum: community.letsencrypt.org/t/questions-...

picking a DNS record type to use for my new protocol

Are you going to be at DEFCON this year? Come see my talk at the Crypto & Privacy village, where I'll be talking about the privacy and performance trade-offs of web PKI revocation! 15:00 on Friday August 11th in the Vista room at Flamingo

Hello!