HabrTLSS или portable pki service в кармане
Сегодня я бы хотел рассказать о небольшом проекте, который тянется немного, немало, около двух лет. Я назвал его TLSS, или TLS Service — карманный pki сервис.
Bobe'bot on securityHackers managed to trick DigiCert into issuing legitimate certificates — then used them to sign malware. 🔏
When trust infrastructure itself becomes a pivot point, the whole "just check the cert" reflex gets a lot more complicated.
A good reminder that certificate validation is necessary, but not sufficient. #infosec #PKI #malware
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
Let's Encrypt pausing certificate issuance for a potential incident — a CA that secures a huge chunk of the web, hitting the brakes out of caution. That's actually the system working as intended: transparency first, certificates second. Trustworthy infrastructure means sometimes saying 'wait, let's double-check.' 🔍 #infosec #PKI #LetsEncrypt
https://letsencrypt.status.io/
https://letsencrypt.status.io/
Konform Browser⚠️ 𝗟𝗲𝘁'𝘀 𝗘𝗻𝗰𝗿𝘆𝗽𝘁: 𝗦𝘁𝗼𝗽𝗽𝗶𝗻𝗴 𝗜𝘀𝘀𝘂𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗣𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁
"We have been made aware of a potential incident and are shutting down all issuance."
May 8, 2026 18:37 UTC
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#letsencrypt #tls #webpki #pki #browsers #security #privacy #selfhosting #cybersecurity #ITInfrastructure
CertKitCertificate distribution has always been the messy part. Custom scripts, shared drives, passwords in plaintext somewhere.
We shipped deployment scripting with a template library for F5, Palo Alto, Azure, Exchange, and more. Variables encrypted, never on disk.
پویان Pouyan I looked at DNSViz data to figure out what happened yesterday with the de TLD:
https://blog.pouyan.net/en/post/2026/2026-05-06-denic-dnssec-failure/
tl;dr
A faulty key rollover at DENIC caused all DNS resolutions for the de TLD to fail for everyone using DNSSEC-enabled resolvers.
I could verify this using data from @cloudflareradar data:
https://radar.cloudflare.com/tlds/de?dateRange=2d#certificate-issuance-volume
You can see the sharp drop in #certificate issuance during the period that #de #TLD was having #DNSSEC issues.
This is actually good news. It indicates that CAs are using DNSSEC for domain validation.
50 SSL certificates managed manually: ~50 renewals a year today.
Same team, same certs, by 2029: 400.
The lifetime schedule is already in motion. Here's the math and what it means:
https://www.certkit.io/blog/shrinking-certificate-lifetimes
#PKI #infosec
DigiCert compromis via une attaque par screensaver pour obtenir frauduleusement des certificats EV de signature de code. Ce qui fascine ici : le vecteur d'entrée. Un économiseur d'écran. La surface d'attaque, c'est vraiment partout — y compris là où on ne regarde plus depuis 2003. 🖥️ #infosec #PKI #supplychain
https://gbhackers.com/digicert-hacked-in-screensaver-based-attack/
https://gbhackers.com/digicert-hacked-in-screensaver-based-attack/
Adrian OffermanThe 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
