Andrew Ayer
@agwa@follow.agwa.name
pleroma
2.10.0
@agwa@agwa.name
Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
0
Followers
0
Following
Joined November 12, 2022
Posts
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Feb 19, 2026
New blog post: Why IP Address Certificates Are Dangerous and Usually Unnecessary https://www.agwa.name/blog/post/ip_address_certs
0
2
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Feb 03, 2026
I just released govulncheck-deep, a program that recursively descends deep into archive files, S3 buckets, APT repos, etc. and runs govulncheck on every Go binary that it finds. I run it daily to make sure SSLMate's production environment stays free of known vulns.
There are other tools that do deep vulnerability scanning (e.g. Trivy), but they don't use govulncheck so they're overrun with false positives.
https://github.com/AGWA/deepscan
There are other tools that do deep vulnerability scanning (e.g. Trivy), but they don't use govulncheck so they're overrun with false positives.
https://github.com/AGWA/deepscan
0
0
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Jan 14, 2026
The State of OpenSSL for pyca/cryptography: https://cryptography.io/en/latest/statements/state-of-openssl/
Spoiler: it's bad.
Spoiler: it's bad.
0
8
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Jan 13, 2026
Before I use a third-party Go package, I like to know its transitive dependencies. I can't just look at go.mod, because it lists dependencies for all the packages in the module, not just the package I'm importing. So I made a little web page that runs `go list -deps` to get the real dependencies of a package: https://sourcespotter.com/deps/
0
2
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Dec 10, 2025
New blog post: Certificate Authorities Are Once Again Issuing Certificates That Don't Work
https://www.agwa.name/blog/post/cas_are_issuing_broken_certificates_again
https://www.agwa.name/blog/post/cas_are_issuing_broken_certificates_again
0
0
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Dec 02, 2025
Certum, Cybertrust Japan, GlobalSign, Izenpe, NAVER, SECOM, SHECA, SSL.com, and TWCA are all issuing busted SSL certificates because instead of reading Apple and Chrome's JSON log lists which tell them exactly which Certificate Transparency logs are safe to use, they're assuming any log with "2027h1" in the name is good: https://groups.google.com/a/chromium.org/d/msgid/ct-policy/20251202114350.acbfe1173c6cad1aadfb98c7%40andrewayer.name
If you got a certificate from any of these CAs in the last few days, you should test your site using SSLMate's CT Policy Analyzer: https://sslmate.com/labs/ct_policy_analyzer/
If you got a certificate from any of these CAs in the last few days, you should test your site using SSLMate's CT Policy Analyzer: https://sslmate.com/labs/ct_policy_analyzer/
0
0
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Dec 02, 2025
Certificate authority Certum is asleep at the wheel, logging certificates to Certificate Transparency logs that are not widely trusted. Certum certificates expiring in 2027 might not work in browsers.
There's really no excuse for this, as Apple and Chrome publish simple JSON files specifying exactly what logs a CA should be using!
There's really no excuse for this, as Apple and Chrome publish simple JSON files specifying exactly what logs a CA should be using!
0
2
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Sep 04, 2025
The first rogue 1.1.1.1 certificate was issued by Fina and logged to Certificate Transparency over a year ago.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
0
2
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Sep 03, 2025
@Rairii That's what it looks like
0
0
0
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
Andrew Ayer
@agwa@follow.agwa.name
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
follow.agwa.name
@agwa@follow.agwa.name
·
Sep 03, 2025
Hey look, another certificate authority trusted ONLY by Microsoft is issuing certificates without validation (1.1.1.1/Cloudflare DNS in this case): https://crt.sh/?sha256=D42B028468E73795365102058CBCD350AD0A0B9CA7073C5362A570C5EC208A92
(h/t Hacker News user JXzVB0iA)
(h/t Hacker News user JXzVB0iA)
0
6
0