RC F'13, F2'17
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter
Filippo Valsorda
Loading...
I'm impressed with Apple's Private Cloud Compute and its extension to Google Cloud.
Servers with a verified boot chain, attesting to their verified status to clients. Stateless computation. Hardened supply chain.
This is a massive investment in privacy.
security.apple.com/blog/expandi...
A few weeks ago I realized our websites accidentally disabled post-quantum key exchange because our haproxy had an old version of the modern ssl-config.mozilla.org config. Imagine how long it will take for everyone to realize this and fix their configs. This is not a scalable way of doing things...
Well, I wrote the prose and links of htmlpreview.github.io?https://gith... with placeholders for the inputs and buttons, and then Claude one-shotted it.
I checked the code, it's pretty good.
There's been some confusion around BRs non-compliant X.509 chains that OpenSSL accepts but Go rejects.
We're not going to introduce complexity in crypto/x509 for them, but I realized you could re-encode the issuer as an unsigned root to work around it.
So I made a little web tool to make it easy.
Ugh, apparently neither @github.com, nor @fastmail.com, nor @slack.engineering support post-quantum TLS key exchanges, making everything sent and received over these connections vulnerable to harvest-now-decrypt-later attacks, maybe as early as 2029.
