This blog has not seen much activity lately because, since 2016, I've been spending all of my time on my next project called Hardenize. You should check it out. It's awesome.

It took a couple of years, but I am happy to report that my book Bulletproof TLS and PKI is now out and available in both digital and print. Although the title is slightly different this time, the new release is the second edition of my earlier work—Bulletproof SSL and... MORE »

Another year, another book to update. The third edition of OpenSSL Cookbook, my free book that covers command-line usage of OpenSSL, is now available for your pleasure. Although the structure of the book remains the same, it’s been significantly updated with the help of Matt Caswell, a member of the... MORE »

I am happy to announce that the second edition of Bulletproof SSL and TLS is now available in preview. As I write this, it’s November 2020 and roughly six years since we released the first edition. I am happy to say that things have worked out approximately how I thought... MORE »

I am very happy to announce Bulletproof SSL and TLS, the 2017 revision. The manuscript is complete and it’s now undergoing copyediting. We expect that the revision will be fully done by the end of July. Get your updates now if you can’t wait, or in August if you can.... MORE »

The last time I wrote about my book Bulleproof SSL and TLS was two years ago, just after publishing the first full revision. Although two years is a long time to go without a blog post, throughout this period I continued to work on the book, keeping it nearly-always up... MORE »

We’re excited to share with you the first preview of our next-generation grading. This is something that’s long overdue but, due to lack of available time, we managed to keep up patching the first-generation grading to keep up with the times. Now, finally, we’re taking the next necessary steps to... MORE »

In the second half of 2016, a series of events unfolded that culminated with something many didn’t think was possible (or at least thought very unlikely): a public CA was distrusted. The CA in question was WoSign, a Chinese CA who made some waves by offering free certificates back in... MORE »

Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. Although CAA had been in the proposed-standard state for more than 4 years,... MORE »

Ticketbleed is a recently disclosed vulnerability in some F5 load balancers. This problems allows attackers to retrieve up to 31 bytes of process memory, which could potentially include sensitive data (for example private keys). It is similar in nature to Heartbleed (a vulnerability in OpenSSL from 2014), but less severe... MORE »

Today saw another SSL Labs release, which brings several new features and includes one fix. In this blog post I will discuss what the new features are and why they’re interesting. As always, you’ll find the (recent) history of SSL Labs releases in the change log. Improved cipher suite testing:... MORE »

View all posts »