Published 2023-03-30
As I mentioned in my post about attending Real World Crypto 2023 and the Open Source Cryptography Workshop, I’ve given a talk discussing Rustls-FFI and the work to allow curl and libcurl to use the Rust-based, memory-safe Rustls TLS library in a talk... [read more]
Published 2023-03-25
At this point I’m supposed to be in Tokyo, attending the Real World Crypto Symposium in Tokyo next week, and after that, I’m co-organizing and speaking at the Open Source Cryptography Workshop. But I’ve gotten COVID-19 again, instead.
[read more]Published 2023-03-21
I’ll be attending the Real World Crypto Symposium in Tokyo next week, and after that, I’m co-organizing and speaking at the Open Source Cryptography Workshop.
[read more]Published 2020-12-01
Firefox is the only major browser that still evaluates every website it connects to whether the certificate used has been reported as revoked. Firefox users are notified of all connections involving untrustworthy certificates, regardless the popularity of the site. Inconveniently, checking certificate status sometimes slows down the connection to websites.... [read more]
Published 2020-11-27
Since Firefox Nightly is now using CRLite to determine if enrolled websites’ certificates are revoked, it’s useful to dig into the data to answer why a given certificate issuer gets enrolled or not.
Ultimately this is a matter of whether the CRLs for a given issuer are available to... [read more]
Published 2020-11-26
Firefox Nightly is now using CRLite to determine if websites’ certificates are revoked — e.g., if the Certificate Authority published that web browsers shouldn’t trust that website certificate. Telemetry shows that querying the local CRLite dataset is much faster than making a network connection for OCSP, which makes... [read more]
Published 2020-01-21
CRLite pushes bulk certificate revocation information to Firefox users, reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring, and does so for the whole Web, not just special parts of it.
[read more]Published 2020-01-09
CRLite is a technology to efficiently compress revocation information for the whole Web PKI into a format easily delivered to Web users. It addresses the performance and privacy pitfalls of the Online Certificate Status Protocol (OCSP) while avoiding a need for some administrative decisions on the relative value of one... [read more]
Published 2020-01-09
CRLite is a technology proposed by a group of researchers at the IEEE Symposium on Security and Privacy 2017 that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte.
[read more]Published 2018-12-04
I gave a lightning talk at our Mozilla All-Hands meeting about CRLite, a new technology for delivering revocations for the Web PKI to all clients in a very compressed form.
[read more]Published 2017-12-04
At Mozilla’s Austin All-Hands I gave a lightning talk about Web Authentication, which is our best technical solution to the scourge of phishing today.
[read more]Published 2017-08-18
Certificate Revocation Lists (CRLs) are a way for Certificate Authorities to announce to their relying parties (e.g., users validating the certificates) that a Certificate they issued should no longer be trusted. E.g., was revoked.
[read more]Published 2017-07-10
We’re changing the methodology used to calculate the Let’s Encrypt Statistics page, primarily to better cope with the growth of Let’s Encrypt. Over the past several months it’s become clear that the existing methodology is less accurate than we had expected, over-counting the number of websites using Let’s... [read more]
Published 2017-05-16
I’ve been supplying the statistics for Let’s Encrypt since they’ve launched. In Q4 of 2016 their volume of certificates exceeded the ability of my database server to cope, and I moved it to an Amazon RDS instance.
[read more]Published 2017-02-23
Our deprecation plan for the SHA-1 algorithm in the public Web, first announced in 2015, is drawing to a close. Today a team of researchers from CWI Amsterdam and Google revealed the first practical collision for SHA-1, affirming the insecurity of the algorithm and reinforcing our judgment that... [read more]
Published 2016-12-19
The Phoenix DevOps Meetup has asked me to do a walk-through of how to encrypt a website using Let’s Encrypt for their February meetup. I don’t believe this talk will be recorded, but for any locals who want to discuss PKI, I’ll be available after.
[read more]Published 2016-09-30
Yesterday Let’s Encrypt reached a new milestone: the unique set of all fully-qualified domain names in the currently-unexpired certificates issued by Let’s Encrypt is now 10,022,446.
[read more]Published 2016-07-05
Today at the RMLL conference’s security track I’m talking about some of the challenges, decisions, and trade-offs that occurred while launching Let’s Encrypt, in a talk I’ve called Let’s Encrypt: The Road To Encrypting All The Things.
[read more]Published 2016-04-05
This is a quick status update from the Early Impacts of Let’s Encrypt post.
[read more]Published 2016-02-19
During the months I worked in Let’s Encrypt’s operations team I got fairly used to being the go-to man for any question that a database query could solve.
[read more]Published 2016-01-21
Gathering data from Certificate Transparency logs, here’s a snapshot in time of Let’s Encrypt’s certificate issuance rate per minute from 15-21 January 2016
[read more]Published 2016-01-19
I spent some time over the last week working up a safe Content Security Policy for this website
[read more]Published 2016-01-15
All the first Let’s Encrypt certs for my websites from the LE private beta began expiring last week, so it was time to work through the renewal tooling
[read more]Published 2015-10-20
A bigger blog post will have to wait, but just as a brief note:
Let’s Encrypt is now publicly trusted. In fact, this blog is using a certificate from Let’s Encrypt. And so is usr.bin.coffee, of course.
[read more]Published 2014-08-06
Using an Electric Imp and two Vegetronix VH400 soil moisture sensors, I am now able to monitor the water content of two locations in my garden.
[read more]On a mission to solve communications security issues for the whole Internet. That, and drink coffee.
This work is licensed under a Creative Commons Attribution 4.0 International License.