2021-08-11: Remediating AWS IMDSv1 Heya! We’re in the process of reworking our blog–sorry for the radio silence. …

2020-03-12: The SOC2 Starting Seven So, you plan to sell your startup’s product to big companies one day. Congratu-dolences! Really, …

2020-02-19: Stop Using Encrypted Email Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. …

2019-07-24: How (not) to sign a JSON object Last year we did a blog post on interservice auth. This post is mostly about authenticating …

2019-07-16: The PGP Problem Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) …

2018-09-30: Analyzing a simple encryption scheme using GitHub SSH keys (This is an introductory level analysis of a scheme involving RSA. If you’re already …

2018-08-08: ROCA vs. ROBOT: An Eternal Golden Braid The ROCA RSA key generation flaw or ROBOT, the “Return Of Bleichenbacher” attack: which is most …

2018-08-03: The default OpenSSH key encryption is worse than plaintext The eslint-scope npm package got compromised recently, stealing npm credentials from your home …

2018-07-18: Factoring the Noise protocol matrix TL;DR: if I ever told you to use Noise, I probably meant Noise_IK and should have been more …

2018-06-21: Loud subshells Default shells usually end in $. Unless you’re root and it’s #. That tradition has been …

2018-06-12: A Child’s Garden of Inter-Service Authentication Schemes Modern applications tend to be composed from relationships between smaller applications. Secure …

2018-05-29: Gripes with Google Groups If you’re like me, you think of Google Groups as the Usenet client turned mailing list manager. If …

2018-05-16: There Will Be WireGuard Amidst the hubbub of the Efail PGP/SMIME debacle yesterday, the WireGuard project made a pretty …

2018-05-04: Dumb Security Questionnaires It’s weird to say this but a significant part of the value we provide clients is filling out …

2018-04-03: Cryptographic Right Answers We’re less interested in empowering developers and a lot more pessimistic about the prospects of …