ICYMI:

**Globalsign certs issued on Monday 1st Dec 2025 will not be trusted on some clients because they incorrectly use 2027 CT logs.**

You can simply reissue them to resolve the problem.

https://status.globalsign.com/incidents/49ndl5hz24h2

#PKI #GlobalSign #WebDev #TLS #CTLogs

ICYMI:

**Globalsign certs issued on Monday 1st Dec 2025 will not be trusted on some clients because they incorrectly use 2027 CT logs.**

You can simply reissue them to resolve the problem.

https://status.globalsign.com/incidents/49ndl5hz24h2

#PKI #GlobalSign #WebDev #TLS #CTLogs

Looking at the fragility of the internet, there is one pillar that doesn't appear to be on anyone's radar. That is #letsencrypt .

Lets Encrypt just works so is clearly not front and center lately but with certificate lifecycle being reduce further and further over the coming years, it is probably not wise to bank on a single provider where an over-run of renewals could DDoS them into oblivion.

What other options are out there? #tlscertificate #tls

Looking at the fragility of the internet, there is one pillar that doesn't appear to be on anyone's radar. That is #letsencrypt .

Lets Encrypt just works so is clearly not front and center lately but with certificate lifecycle being reduce further and further over the coming years, it is probably not wise to bank on a single provider where an over-run of renewals could DDoS them into oblivion.

What other options are out there? #tlscertificate #tls

Well @chrysn@chaos.social, I really appreciate your good intentions and will to fight for users' #privacy.
But I was not talking about you or the few independent developers who still volunteer at #IETF these days.
I was talking about IETF effects on the Internet standards as a whole.
I'm afraid the impact of a few independent engineers is not going to balance the power of organized and well funded #BigTech lobbyists.

As an example, let's stay on topic and look at RFC 9001, "Using #TLS to Secure #QUIC".
All that is said about the impoved ability of the server to identify (and thus track) the user are in two lines about session resumption (emphasys mine):

Session resumption allows servers to link activity on the original connection with the resumed connection, which might be a privacy issue for clients. Clients can choose not to enable resumption to avoid creating this correlation.

Now please notice the #hypocrisy: the wording is set up as if clients should opt-in, but it's pretty unlikely that users will be given a choice between a personal data leak at protocol level and an imperceptible increase in connection time, in particular with 0-RTT where " Endpoints cannot selectively disregard information that might alter the sending or processing of 0-RTT".

So while I'm pretty curious about @bagder@mastodon.social's perspective, I see that #Google managed to get a protocol designed to thwart user privacy and reduce its own server costs (even just the energy consumed during TLS hadshakes, amount to thousands dollars each day).

This way, if EU would decide to forbid tracking cookies at all, Google would get a competitive advantage over all other #AdsTech companies.

Now a properly working IETF would have rejected such shit, knowing that it would have been leveraged against people (and democracies) though #Chrome browsers and #Android defaults.

CC: @daniel@gultsch.social @lorenzo@snac.bobadin.icu

LibreSSL 4.1.2 and 4.2.1 released https://www.undeadly.org/cgi?action=article;sid=20251102090208 #openbsd #libressl #tls #ssl #security #networking #cryptography #crypto #realcrypto #libresoftware #freesoftware

LibreSSL 4.1.2 and 4.2.1 released https://www.undeadly.org/cgi?action=article;sid=20251102090208 #openbsd #libressl #tls #ssl #security #networking #cryptography #crypto #realcrypto #libresoftware #freesoftware

I have a site that works fine everywhere until it is proxied. Then ERR_SSL_PROTOCOL_ERROR. Not pinned, proxy CA trusted, everything works as it should otherwise, but can't see it in Burp or ZAPs browser.

IT WORKS in Tor though. It's that the proxiest of proxied browsers?

Any clue?

#appsec #tls

LibreSSL 4.1.1 and 4.0.1 released https://www.undeadly.org/cgi?action=article;sid=20251002054519 #openbsd #libressl #tls #https #cryptography #security #newrelease #development #freesoftware #libresoftware

LibreSSL 4.1.1 and 4.0.1 released https://www.undeadly.org/cgi?action=article;sid=20251002054519 #openbsd #libressl #tls #https #cryptography #security #newrelease #development #freesoftware #libresoftware

Yesterday, 10 years ago, Let's Encrypt issued their first #TLS #certificate to the domain name helloworld.letsencrypt.org. Since then, they issued 7 billion certificates.

To quote Borat: "Great success!"

Congrats!

#letsencrypt #tls #ssl #https

Yesterday, 10 years ago, Let's Encrypt issued their first #TLS #certificate to the domain name helloworld.letsencrypt.org. Since then, they issued 7 billion certificates.

To quote Borat: "Great success!"

Congrats!

#letsencrypt #tls #ssl #https

Deux questions #TLS
J'ai créé une nouvelle PKI pour mon client mais Edge ne parvient pas à décoder le certificat Root ni l'intermédiaire alors que Firefox n'a aucun problème...
Error: unable to decode certificate

Des idées ?

Deux questions #TLS
J'ai créé une nouvelle PKI pour mon client mais Edge ne parvient pas à décoder le certificat Root ni l'intermédiaire alors que Firefox n'a aucun problème...
Error: unable to decode certificate

Des idées ?

#DEfO has completed #ECH implementation for #nginx and there is a pull request:

https://github.com/nginx/nginx/pull/840

If you want to see ECH in nginx sooner rather than later, please jump in and review, give feedback, thumbs up, etc.

#EncryptedClientHello#TLS#OpenSSL

#DEfO has completed #ECH implementation for #nginx and there is a pull request:

https://github.com/nginx/nginx/pull/840

If you want to see ECH in nginx sooner rather than later, please jump in and review, give feedback, thumbs up, etc.

#EncryptedClientHello#TLS#OpenSSL

Am I really the only one who uses 24hrs long living certificates which get automatically renewed and signed by an own CA via ACME?

#ssl #tls #dane #acme #certificate #certificateauthority #ca