CDNs Are a Single Point of Failure
CDN consolidation means a single outage takes down thousands of sites. We traded distributed resilience for centralized convenience.
Read moreBlog
On protocols, security, and how the internet actually works.
DNS-over-HTTPS Changed Nothing (and Everything)
DoH wraps DNS queries in HTTPS. Same questions, same answers, different transport. The technical change is simple. The political implications are enormous.
Read moreHow CDN Cache Poisoning Works
CDN cache poisoning tricks a CDN into caching a malicious response and serving it to all subsequent visitors. One weird request, a lot of collateral.
Read moreOCSP Stapling vs CRL: Two Bad Options for Revocation
When a certificate is compromised, it needs to be revoked. Both mechanisms for checking revocation are fundamentally broken. Here's why.
Read morePost-Quantum Cryptography: What Needs to Change in TLS
Quantum computers will break RSA and elliptic curve crypto. The transition has already started — not because quantum computers are here, but because 'harvest now, decrypt later' is a real threat.
Read moreSNI: The Field That Leaks Your Destination
HTTPS encrypts everything — except which website you're visiting. The Server Name Indication field travels in plaintext before encryption starts.
Read moreTLS 1.0/1.1 in 2026: Who's Still Serving?
TLS 1.0 and 1.1 are formally deprecated and rejected by every browser. And yet servers still offer them. How many, and why?
Read moreVPNs Don't Make You Anonymous
A VPN shifts who can see your traffic from your ISP to the VPN provider. You're trusting a different entity, not eliminating trust.
Read moreWe Stopped Teaching People How the Internet Works
Abstraction made the internet usable. It also made it opaque. The cost shows up in bad security decisions, helplessness during outages, and cargo-cult configuration.
Read moreWhat "End-to-End Encryption" Actually Means (and Doesn't)
Every messaging app claims E2EE. Most users think it means total privacy. The reality is more nuanced, and the marketing oversells it.
Read moreBGP: The Protocol That Runs on Trust
BGP routes the internet with no built-in authentication. Any autonomous system can announce any prefix. Route hijacking is trivially possible. Here's how it works and what RPKI is trying to fix.
Read moreCertificate Transparency: Why Every Cert Is Public
Every TLS certificate issued by a public CA is logged in a publicly searchable, append-only log. This happened because of DigiNotar. Here's how CT works and why it matters.
Read moreCompliance Is Not Security
SOC 2, ISO 27001, PCI DSS — organizations treat compliance as proof of security. It isn't. Compliance is a floor. Security is the actual state of your defenses.
Read moreDMARC Adoption: Still Decorative in 2026
Most domains that 'have' DMARC set it to p=none, which means monitor but don't enforce. It's a smoke detector without a siren.
Read moreWhat Happens in the First 50 Milliseconds of a DNS Query
You type a URL and the page loads. In between, your computer talked to at least four servers, traversed a hierarchy from 1983, and relied on caching so aggressive most queries never reach their destination.
Read moreHow DNSSEC Works (and Why Nobody Uses It)
DNSSEC is elegant cryptography with brutal operational reality. Two decades in, adoption is still under 20%. The protocol isn't the problem.
Read moreEmail Authentication: How Many Domains Actually Have All Five?
SPF, DKIM, DMARC, MTA-STS, BIMI — five standards, twenty years, and the percentage of domains that have all of them could fit in a margin of error.
Read moreThe 14 HTTP Security Headers (and Which Actually Matter)
Not all security headers are equal. Some prevent real attacks daily. Some are legacy relics browsers ignore. Here's an honest priority list.
Read moreHTTP Security Headers: Who Actually Has CSP?
The gap between easy headers and hard headers is enormous. Most sites set X-Content-Type-Options and skip Content-Security-Policy. The data shows exactly how wide the gap is.
Read moreLet's Encrypt Changed the Internet (for Better and Worse)
Before 2015, HTTPS meant someone cared. After Let's Encrypt, HTTPS means the server exists. We got encryption everywhere and lost a trust signal nobody has replaced.
Read moreMCP: What It Means for Security Tools
Model Context Protocol gives AI agents a standard way to call security tools. The recon workflow is about to change. The judgment part isn't.
Read moreThe Padlock Icon Should Be Removed from Browsers
The browser padlock creates false trust in hundreds of millions of users. HTTPS means encrypted, not safe. The icon should go.
Read morePasskeys vs Passwords: The Transition Nobody's Making
Passkeys are technically superior in every way — phishing-resistant, no shared secrets, biometric-friendly. Apple, Google, and Microsoft all support them. Adoption is still negligible.
Read moreSecurity Scores Are Meaningless
I build security scoring systems. I know better than anyone that they don't measure actual security. Here's why I keep building them anyway.
Read moreThe SPF 10-Lookup Limit: A 20-Year-Old Mistake
RFC 7208 limits SPF to 10 DNS lookups. Exceed it and your email authentication silently breaks. The limit made sense in 2003. It doesn't anymore.
Read moreThe TLS Handshake in 7 Steps
Every HTTPS connection starts with a negotiation most developers never think about. Here's exactly what happens in TLS 1.3, step by step.
Read moreTwo-Factor Authentication Doesn't Solve Phishing
2FA stops credential stuffing. It barely slows down the real-time phishing proxies that are actually stealing sessions in 2026.
Read moreWhat Happens When a Root CA Gets Compromised
In 2011, DigiNotar was hacked and 500+ fraudulent certificates were issued, including *.google.com. The aftermath reshaped the entire PKI ecosystem.
Read moreWhy Email Authentication Needs Five Protocols
SPF, DKIM, DMARC, BIMI, MTA-STS — email keeps stacking protocols on a 50-year-old system instead of replacing it. Here's why.
Read more"Zero Trust" Is a Marketing Term
Zero Trust started as a legitimate security architecture principle. It has been co-opted by every vendor to mean 'buy our product.' The original idea deserves better.
Read more