Andrew Ayer - Blog

SQLite's Durability Settings are a Mess

The Story Behind Last Week's Let's Encrypt Downtime

The Difference Between Root Certificate Authorities, Intermediates, and Resellers

The SSL Certificate Issuer Field is a Lie

whoarethey: Determine Who Can Log In to an SSH Server

No, Google Did Not Hike the Price of a .dev Domain from $12 to $850

Checking if a Certificate is Revoked: How Hard Can It Be?

Parsing a TLS Client Hello with Go's cryptobyte Package

How I'm Using SNI Proxying and IPv6 to Share Port 443 Between Webapps

Comcast Shot Themselves in the Foot with MTA-STS

It's Now Possible To Sign Arbitrary Data With Your SSH Keys

How Certificate Transparency Logs Fail and Why It's OK

Security Vulnerabilities in Smallstep PKI Software

The Lengths People Go To Just To Avoid DNSSEC

Writing an SNI Proxy in 115 Lines of Go

Security Review of CFSSL Signer Code

Fixing the Breakage from the AddTrust External CA Root Expiration

Short Take: Why Trust-On-First-Use Doesn't Work (Even for SSH)

When Will Your DNS Record Be Published?

This Is Why You Always Review Your Dependencies, AGPL Edition

Preventing Server Side Request Forgery in Golang

Programmatically Accessing Your Customers' Google Cloud Accounts (While Avoiding the Confused Deputy Problem)

MTA-STS is Hard. Here's how DNS Providers Can Make it Awesome With Automation...

Making Certificates Easier and Helping the Ecosystem: Four Years of SSLMate

These Three Companies Are Doing the Internet a Solid By Running Certificate Transparency Logs

Google's Certificate Revocation Server Is Down - What Does It Mean?

How will Certificate Transparency Logs be Audited in Practice?

Why Man-in-the-Middle Detection is Overrated

Thoughts on the Systemd Root Exploit

Systemd is not Magic Security Dust