@filippo.abyssdomain.expert plugs Wycheproof test vectors github.com/C2SP/wychepr...
#realworldcrypto
11.03.2026 03:43
👍 3
🔁 1
💬 1
📌 0
@filippo.abyssdomain.expert plugs Wycheproof test vectors github.com/C2SP/wychepr...
#realworldcrypto
did something very silly, may have some at gophercon this year if you ever sent us a vulnerability report or contributed to Go crypto (or are just nice to me)
thanks to @ljamesart.bsky.social who did the great art!
TIL "fly-tip"
make sure you stay sub'd to openssl-project so you don't miss important messages like sign up codes for internal accounts
(groups.google.com/a/openssl.or... , groups.google.com/a/openssl.or... , etc )
I've used github.com/testssl/test... as a replacement for SSLLabs in the past with pretty good results.
With the @openuk.bsky.social Awards coming up, we’re excited that Rustls — a memory-safe TLS library — is shortlisted in two categories, and Creator Joe Birr-Pixton is also recognized individually.
The Rust Foundation is proud to support Rustls through the Rust Innovation Lab 🧡
In August I delivered my traditional Go Cryptography State of the Union talk at @gophercon.com in New York.
It goes into everything at the intersection of Go and cryptography from the last year. (Also, bragging t-shirts!)
Watch the video or read the transcript of my performance review!
Maintaining #Rustls isn’t just code — it’s choices. Dirkjan shared how OSS maintainers balance safety vs. niche flexibility and why API instability or incompatibility can ripple across the ecosystem. Full story at netstack.fm/#episode-7
Congrats!!!!! 😍😍😍😍
I keep this post around so I can RT it every time this technique saves my butt and it's Too Often ™
hachyderm.io/@cpu/1125942...
We have a little blog post about this rustls.dev/blog/2025-09...
Hello!
🤔 I'm biased, but github.com/letsencrypt/boulder is a good place to start (especially w.r.t code review). github.com/FiloSottile/... and the std lib tls package are also great (though you'd have to look at Gerrit for the latter since the Go project doesn't use GitHub for code review).
we lived
PowerDNS Recursor 5.3.0 has a nice note in the changelog:
> The embedded webserver used to display the status page and process REST API calls has been rewritten in Rust and now supports multiple listen addresses and TLS.
The new code is powered by Hyper+Rustls+Ring 🦀 🔒
(h/t Stefan Schmidt)
TIL the B root servers have deployed experimental DoT support for TLS on the recursor -> auth. server leg: b.root-servers.org/research/tls...
A document announcing the "Fourth ITU-T X.509 Day (2025) event" on September 5, 2025, from 13:00 to 16:00 (Geneva time). It details ITU-T X.509 as a foundational standard for public key infrastructure and digital certificates, outlining its history and applications. The event's objectives include reviewing X.509 progress, assessing post-quantum cryptography readiness, exploring decentralized PKI, discussing cross-border digital identity, strengthening AI trust, showcasing real-world adoption, and identifying future directions.
TIL that the ITU has an annual "X.509 Day", wheeee www.itu.int/md/T25-TSB-C...
We announced the new native Go FIPS 140-3 mode today!
FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.
Go is now one of the easiest and most secure ways to build under FIPS 140.
Today we released rustls 0.23.29 crates.io/crates/rustl... -- highlights are better error reporting for unsupported signature algorithms in certificates, and quite a few performance improvements (via a set of changes that started almost 2 years ago!)
Pretty excited about the release of instant-acme 0.8, with lots of work from @cpu.xkeyscore.club (who joined as a maintainer) on ARI, profiles, integration testing and a much improved API.
github.com/djc/instant-...
I suspect the rustls-ffi numbers would look even better using curl w/ --ca-native on MacOS/Windows/etc where we can lean on rustls-platform-verifier to avoid all the PEM parsing & trust anchor construction for the big pile of system roots needed at startup on Linux.
Tested on Linux, with curl 8.14.1 and OpenSSL 3.4.1 (latest in nixpkgs) vs rustls-ffi 0.15.0
Full disclosure: bagder's measurements w/ the newer OpenSSL 3.5.1 show an improvement. It"only" performs 54,000 allocations....
Nerd-sniped by bagder into looking at how rustls-ffi stacks up against OpenSSL on memory allocations/peak heap usage when plugged in as a curl vTLS backend.
Headlines:
* with rustls-ffi 0.15.0: 2,176 allocations. peak heap of 394kB.
* with openssl 3.4.1: 308,132 allocations (!). peak heap of 2.1MB
🔥Keynote Speaker Announcement We are delighted to announce that Roland Shoemaker will be a key note speaker at this year's #gopherconuk. Roland leads the Go Security team at Google, working on cryptography, transport security, vulnerability triage, and generally keeping Go secure. Before working on the Go team, he worked on the Let's Encrypt project building the certificate authority software which now issues millions of certificates each day. Despite its 15 year history, Go has had a rather uneventful security history. In his keynote, Roland will talk about why that is, some of the mistakes made, and what they learnt. Along with what he's working on now, and what’s on the horizon to make Go an even better, safer language for the next 15 years. Buy your tickets over on our website & join Roland as he opens Day 1 of our conference on 13th August 2025. 🎟️ https://buff.ly/Azghzwp
I don't think they post here, but excited to be talking about what the Go Security team does, and why (hopefully) you don't hear much about us, at GopherCon UK in August.
IP address certificate subjects are coming to Let's Encrypt SOON™: community.letsencrypt.org/t/getting-re...
The groundwork for this was started ~2020 so it's extremely cool to see it coming to fruition !
A screenshot of a GitHub warning banner with the text: "Your blame took too long to compute."
Harsh but fair
Wrote some notes on self-hosting an Atuin sync server and getting to it via Tailscale hackd.net/posts/atuin-...
*slaps roof of libcrypto* this bad boy can fit so much global mutable state inside it!
Had a gig wrap up a little earlier than expected, I should have availability starting July or so.
As always: if you need help with Embedded, Rust, or similar things, shoot me a message!
If you're a user of postcard, p-rpc, or are interested in the more experimental new ergot: shoot me a message!
I implore folks to apply a better theory of the mind than "they dumb or evil" to experienced Chrome engineers entrusted with the security of 3.5B people.
You can still disagree! But if you can't articulate their technical motivations, please pause for a second and consider you might be missing it.
