Link Blog

💬 This is a comment on DNS-PERSIST-01: A New Model for DNS-based Challenge Validation The Source of Truth Connecting to a website? Sending an email? Which server1 you reach depends on DNS records. And CAA or SSHFP records establish trust for public key cryptographic protocols. DNS records are the source of truth. DNS API Tokens Currently, wildcard certificates with Let’s Encrypt require to write an arbitrary string in a DNS record, for every single certificate renewed or issued. In practice, this often involves sharing a write API token to change the DNS. This is risky: should an attacker obtain the token, they can do a lot of damage: hijack traffic (and get valid certificates for it), receive and send emails using the corresponding domain… ...

💬 This is a comment on 6-day and IP Address Certificates are Generally Available by Matthew McPherrin (via) Let’s Encrypt has just announced that short-lived1 certificates are generally available. They can also be used for IP addresses, which is especially useful for DNS over HTTPS. Those certificates could be smaller in the future, if information for validity checks is omitted. However, for now at least, these certificates still include revocation information. ...

💬 This is a comment on Short URLs: why and how by Derek Sivers In the Beginning Were Short URLs I recently read Derek Sivers’s Short URLs: why and how, again. He makes a compelling case for using very short, but meaningful, URLs on your website. Very short here means one or two words at most, or even just 2 to 4 characters. On his website, that’s https://sive.rs/anna, https://sive.rs/plaintext https://sive.rs/1s, or indeed https://sive.rs/su for that particular post. That’s very different from typical URLs like https://lexi-lambda.github.io/blog/2019/11/05/parse-don-t-validate/1 or https://github.blog/changelog/2021-10-11-improved-notification-email-titles-for-issues-and-prs/. ...