#x509 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #x509, aggregated by home.social.
-
#strongSwan 6.0.6 has been released ( #IPsec / #VPN / #IKE / #IKEv1 / #IKEv2 / #PostQuantumIKEv2 / #PostQuantumEncryption / #PostQuantum / #X509 / #FreeSWAN ) https://strongswan.org/
-
#strongSwan 6.0.6 has been released ( #IPsec / #VPN / #IKE / #IKEv1 / #IKEv2 / #PostQuantumIKEv2 / #PostQuantumEncryption / #PostQuantum / #X509 / #FreeSWAN ) https://strongswan.org/
-
#strongSwan 6.0.6 has been released ( #IPsec / #VPN / #IKE / #IKEv1 / #IKEv2 / #PostQuantumIKEv2 / #PostQuantumEncryption / #PostQuantum / #X509 / #FreeSWAN ) https://strongswan.org/
-
#strongSwan 6.0.6 has been released ( #IPsec / #VPN / #IKE / #IKEv1 / #IKEv2 / #PostQuantumIKEv2 / #PostQuantumEncryption / #PostQuantum / #X509 / #FreeSWAN ) https://strongswan.org/
-
#strongSwan 6.0.6 has been released ( #IPsec / #VPN / #IKE / #IKEv1 / #IKEv2 / #PostQuantumIKEv2 / #PostQuantumEncryption / #PostQuantum / #X509 / #FreeSWAN ) https://strongswan.org/
-
#DigiCert customer support compromised with
.scrZIP attachment 🤷During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
-
#DigiCert customer support compromised with
.scrZIP attachment 🤷During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
-
#DigiCert customer support compromised with
.scrZIP attachment 🤷During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
-
#DigiCert customer support compromised with
.scrZIP attachment 🤷During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
-
#DigiCert customer support compromised with
.scrZIP attachment 🤷During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:
- DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
- Verokey High Assurance Secure Code EV
-
Weekend Reads
* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host -
Weekend Reads
* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host -
Weekend Reads
* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host -
Weekend Reads
* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host -
Weekend Reads
* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host -
The Internet Last Week
* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/ -
The Internet Last Week
* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/ -
The Internet Last Week
* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/ -
The Internet Last Week
* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/ -
The Internet Last Week
* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/ -
The Internet Last Week
* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371 -
The Internet Last Week
* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371 -
The Internet Last Week
* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371 -
The Internet Last Week
* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371 -
The Internet Last Week
* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371 -
RE: https://infosec.exchange/@paulehoffman/115889970411988081
Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.
When every single packet to
.irnameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any.irdomain or any server located in Iran. -
RE: https://infosec.exchange/@paulehoffman/115889970411988081
Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.
When every single packet to
.irnameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any.irdomain or any server located in Iran. -
RE: https://infosec.exchange/@paulehoffman/115889970411988081
Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.
When every single packet to
.irnameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any.irdomain or any server located in Iran. -
RE: https://abyssdomain.expert/@filippo/115674985400164090
An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.
-
RE: https://abyssdomain.expert/@filippo/115674985400164090
An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.
-
RE: https://abyssdomain.expert/@filippo/115674985400164090
An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.
-
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
-
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
-
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
-
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
-
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
-
% openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text
…
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA
…🧐
-
% openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text
…
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA
…🧐
-
% openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text
…
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA
…🧐
-
% openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text
…
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA
…🧐
-
% openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text
…
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA
…🧐
-
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.
-
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.
-
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.
-
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.
-
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.