On protocols, security, and how the internet actually works.
Everyone panicked about the 47-day certificate landing in 2029. Nobody noticed the first cut already happened: 200 days, mandatory since March 2026. The real story isn't validity — it's the revalidation clock dropping to 10 days.
Read moreThe difference between 301 and 302 isn't 'permanent vs temporary.' It's two unrelated decisions the codes quietly bundle together — and a 301 you set by accident can live in a stranger's browser cache forever.
Read moreReverse DNS is the one record you can't set yourself, no RFC makes it mandatory, and your mail still gets rejected without it. Here's how a courtesy convention became a gatekeeper.
Read moreAdding your domain to the HSTS preload list is a one-way door. The list lives inside the browser binary, not on your servers, so undoing it means waiting months for a Chrome release you don't control — and that's the part nobody mentions when they tell you to preload.
Read moreEveryone agrees DANE is dead — a beautiful protocol stranded behind DNSSEC that nobody deployed. That verdict is American. In the Netherlands it's mandatory, in 2026 Microsoft shipped it, and on the web it really is dead. Same protocol, three fates.
Read moreMost deployed CSPs do nothing. Google measured it: 94.7% of script-limiting policies are bypassable. The syntax is easy. The header is hard for a different reason.
Read moreSMTP encryption has a hole you can drive a truck through: any attacker in the path can strip STARTTLS and read the mail in cleartext. MTA-STS closes it. Then it makes you host a web page to do so, which is why almost nobody bothered.
Read moreIn 1982 every mail server relayed for anyone — that was the design. Now relaying for a stranger gets you blocklisted before lunch. The word 'relay' survived. Everything underneath it inverted.
Read moreOne private key on every server, covering every subdomain you'll ever name. Wildcard certificates trade a small convenience for a blast radius you can't see — and the standards body finally agrees.
Read moreA wildcard DNS record reads like 'match everything below this name.' It doesn't. It never touches names that already exist — and it dies quietly the moment you add one record deep in the tree.
Read moreYou add a DNS record and the world keeps saying it doesn't exist. Nothing is wrong with your record. DNS cached its absence — under a TTL you never set, governed by a field in the SOA that nobody touches.
Read moreA web page you open can reach the router, printer, and smart speaker on your home network — through your own browser. DNS rebinding has worked for over two decades, and why it still works says something uncomfortable about how we built local networks.
Read moreThe same IP address answers you in Seoul and someone else in São Paulo, from two different machines, and neither of you can tell. That's anycast — a lie told to BGP that the whole internet agreed to believe, and the trick that quietly made TCP work in hundreds of places at once.
Read moreSPF dies on the first relay. DKIM survives until a mailing list edits the message. Then DMARC turns a 40-year-old nuisance into bounced mail. A tour of email's most reliably broken feature.
Read moreYou set a TTL of 300 expecting changes in five minutes. Then traffic keeps hitting the old IP for an hour. TTL is not a schedule — it's a hint passed down a chain of caches that each reserve the right to ignore you.
Read moreA valid DKIM signature does not mean DMARC passes. The signature proves a domain signed the mail — alignment decides whether that domain is allowed to speak for your From address.
Read moreIn 2017 a researcher registered a domain that displayed as apple.com in three major browsers, served over valid HTTPS. Every character was Cyrillic. The reason it's hard to fix is older and stranger than the bug itself.
Read moreAny one of ~150 certificate authorities can mint a valid cert for your domain. Your security is the weakest of all of them. Here's why it mostly works anyway.
Read moreQUIC is reliable, ordered, congestion-controlled, and encrypted — everything UDP refuses to be. So why build it on UDP? Because UDP was the only new-protocol-shaped hole left in the internet's plumbing.
Read moreEveryone says there are 13 DNS root servers. There are more than 1,900. The number 13 is frozen into the internet because of a packet-size limit nobody worries about anymore — and the way that contradiction got resolved is one of the better infrastructure hacks ever shipped.
Read moreDNS runs the busiest request-response system on the internet on top of a transport that doesn't promise your packet will arrive. That wasn't a shortcut. It was the right call — until the answers got too big.
Read moreYou can type any browser you like into your User-Agent string. It's the one field nobody trusts — because everything underneath it, the TLS handshake and the HTTP/2 settings, was written by your libraries, not by you.
Read moreCDN consolidation means a single outage takes down thousands of sites. We traded distributed resilience for centralized convenience.
Read moreDoH wraps DNS queries in HTTPS. Same questions, same answers, different transport. The technical change is simple. The political implications are enormous.
Read moreCDN cache poisoning tricks a CDN into caching a malicious response and serving it to all subsequent visitors. One weird request, a lot of collateral.
Read moreWhen a certificate is compromised, it needs to be revoked. Both mechanisms for checking revocation are fundamentally broken. Here's why.
Read moreQuantum computers will break RSA and elliptic curve crypto. The transition has already started — not because quantum computers are here, but because 'harvest now, decrypt later' is a real threat.
Read moreHTTPS encrypts everything — except which website you're visiting. The Server Name Indication field travels in plaintext before encryption starts.
Read moreTLS 1.0 and 1.1 are formally deprecated and rejected by every browser. And yet servers still offer them. How many, and why?
Read moreA VPN shifts who can see your traffic from your ISP to the VPN provider. You're trusting a different entity, not eliminating trust.
Read moreEvery messaging app claims E2EE. Most users think it means total privacy. The reality is more nuanced, and the marketing oversells it.
Read moreAbstraction made the internet usable. It also made it opaque. The cost shows up in bad security decisions, helplessness during outages, and cargo-cult configuration.
Read moreBGP routes the internet with no built-in authentication. Any autonomous system can announce any prefix. Route hijacking is trivially possible. Here's how it works and what RPKI is trying to fix.
Read moreEvery TLS certificate issued by a public CA is logged in a publicly searchable, append-only log. This happened because of DigiNotar. Here's how CT works and why it matters.
Read moreSOC 2, ISO 27001, PCI DSS — organizations treat compliance as proof of security. It isn't. Compliance is a floor. Security is the actual state of your defenses.
Read moreMost domains that 'have' DMARC set it to p=none, which means monitor but don't enforce. It's a smoke detector without a siren.
Read moreYou type a URL and the page loads. In between, your computer talked to at least four servers, traversed a hierarchy from 1983, and relied on caching so aggressive most queries never reach their destination.
Read moreDNSSEC is elegant cryptography with brutal operational reality. Two decades in, adoption is still under 20%. The protocol isn't the problem.
Read moreSPF, DKIM, DMARC, MTA-STS, BIMI — five standards, twenty years, and the percentage of domains that have all of them could fit in a margin of error.
Read moreNot all security headers are equal. Some prevent real attacks daily. Some are legacy relics browsers ignore. Here's an honest priority list.
Read moreThe gap between easy headers and hard headers is enormous. Most sites set X-Content-Type-Options and skip Content-Security-Policy. The data shows exactly how wide the gap is.
Read moreBefore 2015, HTTPS meant someone cared. After Let's Encrypt, HTTPS means the server exists. We got encryption everywhere and lost a trust signal nobody has replaced.
Read moreModel Context Protocol gives AI agents a standard way to call security tools. The recon workflow is about to change. The judgment part isn't.
Read moreThe browser padlock creates false trust in hundreds of millions of users. HTTPS means encrypted, not safe. The icon should go.
Read morePasskeys are technically superior in every way — phishing-resistant, no shared secrets, biometric-friendly. Apple, Google, and Microsoft all support them. Adoption is still negligible.
Read moreI build security scoring systems. I know better than anyone that they don't measure actual security. Here's why I keep building them anyway.
Read moreRFC 7208 limits SPF to 10 DNS lookups. Exceed it and your email authentication silently breaks. The limit made sense in 2003. It doesn't anymore.
Read moreEvery HTTPS connection starts with a negotiation most developers never think about. Here's exactly what happens in TLS 1.3, step by step.
Read more2FA stops credential stuffing. It barely slows down the real-time phishing proxies that are actually stealing sessions in 2026.
Read moreIn 2011, DigiNotar was hacked and 500+ fraudulent certificates were issued, including *.google.com. The aftermath reshaped the entire PKI ecosystem.
Read moreSPF, DKIM, DMARC, BIMI, MTA-STS — email keeps stacking protocols on a 50-year-old system instead of replacing it. Here's why.
Read moreZero Trust started as a legitimate security architecture principle. It has been co-opted by every vendor to mean 'buy our product.' The original idea deserves better.
Read more