HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mcpherrinm

4,395 karmajoined vor 16 Jahren

Submissions

The difficulty of making sure your website is broken

letsencrypt.org
71 points·by mcpherrinm·vor 3 Monaten·38 comments

comments

mcpherrinm
·vor 4 Tagen·discuss
So, in this case it wasn't correct to do so, but there is actually a current algorithm which uses floating point: Falcon (aka FN-DSA).

https://keymaterial.net/2026/05/13/so-you-want-to-deploy-fn-... talks about FN-DSA and has a section about how it's require to hand-implement floats to get constant-time operations.
mcpherrinm
·vor 9 Tagen·discuss
The underlying context is the US government only wants to buy systems which support pure post-quantum cryptography for use on top-secret networks, as part of the requirements of (via its Commercial National Security Algorithm Suite 2.0 standard).

So all the companies who want to sell anything using TLS to the government want to standardize this, so they can be CNSA2 compliant.

Everyone already supports this in major libraries; but some folks feel they need an IETF RFC specifying it.

(I don't have to comply with CNSA2 so I might have details slightly off)
mcpherrinm
·vor 22 Tagen·discuss
If a key is breached, the certificate can be revoked, but that revocation goes away once the certificate is expired.

Expiry is a pretty fundamental part of the security model of certificates.
mcpherrinm
·letzten Monat·discuss
It's the list here:

https://docs.adyen.com/plugins#built-by-adyen
mcpherrinm
·letzten Monat·discuss
The best introduction to verifiable indexes I know of offhand is https://www.youtube.com/watch?v=gfrXTgmbS1s and https://github.com/transparency-dev/incubator/tree/main/vind...
mcpherrinm
·letzten Monat·discuss
Yes, many of the problems from CT are fixed. I wouldn't call it a "broken mess" though, as it has been relatively effective at detecting various problems, and to my knowledge hasn't been compromised.

There are no SCTs, which were a compromise to get CT shipped. Each Merkle Tree Certificate has an actual inclusion proof in it.

CT has multiple independent logs, and requires certs to be logged to 2+ of them. With MTC, you have one issuing log, along with signatures from other "witnesses" which monitor and mirror log integrity. Those co-signatures are validated when checking the certificate.

Thus the witness network makes it much harder for logs to fork, as you can't present a forked view to just the client. You also need to present it to a witness. And it'll be much easier for folks to check all the witnesses are in sync.

Monitoring the MTC logs will be easier than CT, as they'll actually be smaller than CT for a few reasons. At least for the initial version, there won't be a better way to monitor for mis-issued certificates for a particular domain than linear scanning all certificates, but that's a problem being worked on for both CT and MTC, called "verifiable indexes".
mcpherrinm
·letzten Monat·discuss
On Linux and similar systems, I'm hoping github.com/rustls/upki will handle landmark distribution, and that non-browser clients can use that. Of course Rustls will support their own project, but I'm hopeful other TLS stacks do too. Ubuntu announcing they're deploying it should help with that.

On other OSes (like Mac OS and Windows), there's also OS-level services which could support this.

It would be a shame if we end up with a bunch of copies of this data, so I think a shared OS service is the only reasonable approach.

The hardest part is going to be smaller embedded systems.
mcpherrinm
·letzten Monat·discuss
Great question! Of course, we'll continue to provide more information as we firm up more details. This is an area that's not locked down yet, but I can give a sneak preview of what it might look like.

We expect batches to be produced quickly, on the same order of magnitude as current CT logs - somewhere in the 0.5s to 5 second range. This is an existing problem since (at least some) CT logs do the same batched behaviour.

Now, there is a catch with MTCA: That gets you a "standalone" certificate, which works just like a certificate does today. But it's big, still. To get the new, small certificates (landmark-relative), you will have to wait for the next landmark. Based on current planning and discussions with Chrome, we expect that to be hourly for short-lived certs, and 4 hours for longer-lived certificates.

So you'll get a big cert instantly, but you might have to wait an hour or 4 to get a certificate. So your new website can be online quickly, but with some downsides until you get the small landmark-relative cert.

(I work at Let's Encrypt)
mcpherrinm
·letzten Monat·discuss
OpenSSH's Damien Miller has https://datatracker.ietf.org/doc/draft-miller-sshm-mldsa44-e... defining [email protected] which seems more likely given the authorship.
mcpherrinm
·letzten Monat·discuss
Even without DNSSEC, the CAA record approach can help, as it requires MITMing between the CA and the DNS server, which may be harder in some cases than just MITMing a target site.

There’s some upcoming attempts at transport security for authoritative DNS servers which might help too: https://datatracker.ietf.org/doc/html/draft-hoffman-deleg-se...
mcpherrinm
·letzten Monat·discuss
CAA checking is mandatory, so you can always restrict to a given CA.

To get complete control with DNSSEC, you also need the accounturi and validationmethod extensions (which you need to guarantee only your account can issue, and only with the DNS validation type).

Those aren't yet mandatory, but you can restrict to a CA today which implements them, like Let's Encrypt.
mcpherrinm
·vor 2 Monaten·discuss
The post seems to be down so I am not quite sure what it says, but Co-Authored-By trailer is what Claude does. I'm not quite clear what you're suggested that's different from what Claude does - just default to off instead of default on?

> Co-Authored-By: Claude Opus 4.7 <[email protected]>
mcpherrinm
·vor 2 Monaten·discuss
It doesn't matter what the network is doing; the phone needs to disable 2g. There's various ways to get the phone to downgrade to 2g otherwise, eg https://montsecure.com/files/2021_downgrade.pdf

Android has it as a toggle: https://source.android.com/docs/security/features/cellular-s...

iPhone disables it for phones in lockdown mode.
mcpherrinm
·vor 2 Monaten·discuss
There's zero spam filtering interfering this way, and you can target your messages very precisely.
mcpherrinm
·vor 2 Monaten·discuss
2g networks didn't have the phone verify the network, so yes they can do this.

At least as of today, most phones have an option to turn off 2g but that isn't a default.
mcpherrinm
·vor 3 Monaten·discuss
Yeah, Chrome only partly supports revocation (Not sure exactly the criteria, but our test sites don't match it).
mcpherrinm
·vor 3 Monaten·discuss
Git bisect is one of the important reasons IMO to always squash-merge pull requests: Because the unit of review is the pull request.

I think this is all Github's fault, in the end, but I think we need to get Github to change and until then will keep using squash-merges.
mcpherrinm
·vor 3 Monaten·discuss
Squash merge is the only reasonable way to use GitHub:

If you update a PR with review feedback, you shouldn’t change existing commits because GitHub’s tools for showing you what has changed since your last review assume you are pushing new commits.

But then you don’t want those multiple commits addressing PR feedback to merge as they’re noise.

So sure, there’s workflows with Git that doesn’t need squashing. But they’re incompatible with GitHub, which is at least where I keep my code today.

Is it perfect? No. But neither is git, and I live in the world I am given.
mcpherrinm
·vor 4 Monaten·discuss
Yes, it's just a number referenced in one of a few databases.

> The 15-digit pet microchip is the international standard (see ISO 11784:1996 and ISO 11785:1996)

https://www.aaha.org/for-veterinary-professionals/microchip-...

https://en.wikipedia.org/wiki/ISO_11784_and_ISO_11785
mcpherrinm
·vor 5 Monaten·discuss
It does mean Unix timestamps. The blog post doesn’t have the full details.

You can read the RFC draft at https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-pe...

It says: CAs MUST properly parse and interpret the integer timestamp value as a UNIX timestamp (the number of seconds since 1970-01-01T00:00:00Z ignoring leap seconds) and apply the expiration correctly.