I'm not checking this hellscape much anymore. Find me on 🦋 (estark at bsky dot social)

Wow, I appreciate @acm_ccs being frank about review ethics! #CCS

A proposed CA/Browser Forum ballot would radically shorten the max validity period of #TLS certificates over the next few years

It's a common misconception that we need to move from AES-128 to AES-256 to counter quantum attack. In this great talk @sejaques explains why, and shows a few new arguments why Grover's algorithm is even less practical than we already understood it to be.

Update: flights grounded due to an “IT issue” so I might, in fact, just be living in SFO forever, Crowdstrike-style

I will be at TPAC this week! Planning to attend WebAppSec, WebAuthn, various breakouts, and the hallway.

I will die on the hill that RTO hurts families with young children the most — and mothers above all when mom is still the default caregiver. Don’t make people choose between their kids and their careers.

(It does have security benefits, and they will increase over time as things evolve! But creating a passkey doesn't currently instantly make your account unphishable, for example.)

This means that creating passkeys doesn't harm availability of your account. It also means that creating a passkey might not have all the security benefits that one would like.

PSA: creating a passkey for a website does not imply that you can no longer log in with a password

Great comment from @arturjanc on why Content Security Policy is not a good tool for preventing untrusted code from exfiltrating sensitive data:

How Chrome is planning on rolling on the final standardized version of Kyber / ML-KEM

When your 2-year-old starts correctly pronouncing a word she’s been adorably mispronouncing her whole life and you realize that little nonsense word is gone forever

Several years ago I complained that https://t.co/GEBztHXCZB doesn't use HTTPS. It still doesn't, but at least the complaint now exists in blog post form:

you have to read and write a lot; there are no shortcuts

Kudos to @davidcadrian @davidben__ @ryancdickson @modyoloN, Bob Beck, Chris Clements, and the rest of the team

My team has been BUSY! Highlights from this lovely Friday morning: - Postquantum TLS strategy: https://t.co/2vRbLYEMTJ - Distrusting CAs w/out breaking existing certs: https://t.co/EpNnnQB5XN - Updated draft of Trust Expressions for TLS cert negotiation:

There is a new draft for Trust Expressions. It is trying to address the real-world complexity of TLS deployment by making the ubiquity problem of root certificates manageable it does this by enabling relying parties to succinctly convey which certification authorities they trust.

Following up with some thoughts on how to think about migrating HTTPS to post-quantum cryptography. It's similar to the HTTPS adoption effort, but not quite the same because lack of post-quantum security is not the same thing as plaintext. https://t.co/2symnzslHt