Twitter | Pretraživanje | |
Andrew Ayer
Bootstrapped founder of , where I make SSL certificates easier and do and stuff.
924
Tweetovi
174
Pratim
1.490
Osobe koje vas prate
Tweetovi
Andrew Ayer 3. velj
Odgovor korisniku/ci @campuscodi
They were doing that long before DarkMatter.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 3. velj
New blog post: When Will Your DNS Record Be Published?
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 29. sij
Odgovor korisniku/ci @AlecMuffett @ln4711 i 3 ostali
That was issued by Digicert, from a white label intermediate CA.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 26. sij
Odgovor korisniku/ci @hanno
Chrome announced their 2020 plans for Certificate Transparency:
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 11. sij
Odgovor korisniku/ci @MadebyBurton
I do not use AV.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 11. sij
Odgovor korisniku/ci @BRIAN_____
Same. And I'm glad we got to meet in person, even if it was nigh impossible to have a conversation in that bar!
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer proslijedio/la je tweet
Real World Crypto 7. sij
We are pleased to announce that 2020 will be live-streamed. Link:
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. sij
Odgovor korisniku/ci @tommy_hs
Yes, I'm correct. See Section 2.6 of RFC6960.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. sij
Odgovor korisniku/ci @__agwa
Hopefully the SHA-1 OCSP responses are all signed from a sub-CA technically constrained to OCSP (as required by Mozilla policy) so it can't be used to forge an actual certificate.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. sij
Odgovor korisniku/ci @__agwa
I haven't scanned OCSP responders in a while, but I'm sure there are still CAs signing OCSP responses with SHA-1, because it was never forbidden, and CAs will keep doing something dangerous as long as it's not forbidden.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. sij
You calculate a SHA-1 chosen prefix and you choose to attack the PGP Web-of-Trust!? Come on, forge an OCSP response from a publicly-trusted CA instead!
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 5. sij
Odgovor korisniku/ci @alethenorio
Thanks! The FSF considers any kind of linking to a (A)GPL-licensed software component to be a modification, requiring the entire combined work to be (A)GPL-licensed also. This blog post goes into greater detail:
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 5. sij
New blog post: This Is Why You Always Review Your Dependencies, AGPL Edition
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 27. pro
Odgovor korisniku/ci @cryptodavidw
The other success story of CT is integrating it with certificate linters to make CAs issue certificates that are actually standards-compliant. Previously, certificate parsers had to be lax to parse all certificates. Now they can be strict, which is a huge win for security.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 27. pro
Odgovor korisniku/ci @hanno @cryptodavidw
Certinomis is another example of a CA that was removed from Mozilla in large part due to misissuances found in CT
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. pro
Odgovor korisniku/ci @agl__
Gah, Twitter ate the URL:
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. pro
Odgovor korisniku/ci @agl__
Pretty sure the article is wrong. Although Linus was talking about making getrandom nonblocking, he ultimately went with this commit instead:
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer proslijedio/la je tweet
Frank Denis 11. pro
miekg/dns before version 1.1.25 released today uses predictable DNS transaction IDs, can lead to response forgeries
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. pro
Odgovor korisniku/ci @BenBE1987 @FiloSottile @SSLMate
It will be sort of like that, except the importing will be continuous (since CAA records can change over time) and the user will be informed over email when there's a change.
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 7. pro
Odgovor korisniku/ci @BenBE1987 @FiloSottile @SSLMate
There's no CT-like system for DNS. Since Cert Spotter is a CT monitor, it shouldn't rely on a system that has weaker security guarantees than CT.
Reply Retweet Označi sa "sviđa mi se"