It makes sense to use ECDSA for leaf certificates, because the TLS server can then handle more clients compared to a RSA based certificate of the same strength (the private key operation is much cheaper with ECDSA and is needed for every TLS handshake). The client of course, needs a few more cycles to verify the signature, but that is not noticeable most of the time.
IMHO it does not really make sense to use a ECDSA root certificate unless you have a very constrained environment, where every byte counts. The root certificate will never be transferred to the client during a TLS handshake - so the size benefit is minimal (the intermediate certificate will be a bit smaller, because ECDSA signatures are smaller). But the signature validation will take more cycles on the client in every TLS handshake.
Other than that it is a good thing that Let's Encrypt now has an ECDSA root. When researchers might find a problem with RSA in the future, we have an alternative ready to use.
I just got it by chance, there seems to be a XSS vulnerability and some way to post things. Didn't expect so many alert windows to appear and not sure what else it was doing.
The key to get high delivery rates to GMail and Office 365 is to setup DMARC. When you have a proper DMARC configuration (and at least SPF) your delivery problems will suddenly go away.
Hosting your own mail server is not rocket science, but you need to have solid sysadmin skills and a good understanding of email as a whole.
If anyone is interested in doing this: Start simple with only Postfix and Dovecot, don't use a database for username/mailbox configuration as most tutorials suggest (start with text files instead). You can also start with OpenSMTPD and Dovecot if you think that Postfix is too complicated.
And if your setup is finally running, make sure to setup proper monitoring (e.g. make sure your mail server is running and answering SMTP connections). You can use free tools like uptimerobot.com for that and get notified before you loose mail.
OCSP stapling together with OCSP Must Staple is the way to go here. All major browsers support these.
Firefox still does normal OCSP requests, Chromes does not. So if you are a Chrome user, to my understanding, there is now way to know if the server certificate was revoked or not, other than OCSP stapling together with OCSP Must Staple. Additionally, both Chrome and Firefox ship a list of revoked certificates, but it may not be updated quickly enough and as far as i can tell it mostly contains roots and intermediates.
This is not true. In Let's Encrypt/ACME for example, you can simply obtain authorizations for all the domains a certificate is valid for and request revocation [1]. The only thing you still need to revoke the certificate, is the certificate itself. The certificate can be obtained from CT logs.
Password managers like LastPass and 1Password have a significant advantage over offline database tools like KeePass: You can easily share individual passwords with your co-workers in a somewhat secure way.
KeePass for instance lacks the ability to do just that. You can either a) share the entire database or b) use multiple databases with different passwords. However, a) is not secure as your co-workers get access to passwords they do not need and b) is very inconvenient.
LastPass (or 1Password, Bitwarden) makes sharing individual passwords within your team very easy, convenient and secure enough. You can create shared folders and define permissions to access those by certain members of your team, and most importantly, deny access to other members. Is there any offline based password manager that allows you to do that (and is usable by the average Joe)?
In Germany, only Deutsche Telekom (and resellers such as Congstar) supports IPv6 on mobile (for both prepaid and postpaid). And it works great, even when tethering.
Since you're from the UK, I suppose you are a Vodafone customer and therefore roaming in the Vodafone network in Germany (which does not support IPv6 yet).
On some networks/devices you might have to enable IPv6 explicitly, by setting the APN to IPv4/IPv6.
In Singapore, Singtel seems to be the only provider that supports IPv6. Unfortunately only for postpaid plans.
It makes sense to use ECDSA for leaf certificates, because the TLS server can then handle more clients compared to a RSA based certificate of the same strength (the private key operation is much cheaper with ECDSA and is needed for every TLS handshake). The client of course, needs a few more cycles to verify the signature, but that is not noticeable most of the time.
IMHO it does not really make sense to use a ECDSA root certificate unless you have a very constrained environment, where every byte counts. The root certificate will never be transferred to the client during a TLS handshake - so the size benefit is minimal (the intermediate certificate will be a bit smaller, because ECDSA signatures are smaller). But the signature validation will take more cycles on the client in every TLS handshake.
Other than that it is a good thing that Let's Encrypt now has an ECDSA root. When researchers might find a problem with RSA in the future, we have an alternative ready to use.