One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
28.10.2025 17:27
๐ 16
๐ 8
๐ฌ 0
๐ 1
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
Chrome has published version 1.6 of their root store policy.
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Available at aftercare pickup alongside info about district protocols for immigration enforcement. This school district understood the assignment ๐
Good news, from @mozilla and @risksahead! "New ETSI draft standard on QWACs is good news for safety of European internet users"
Behold, a rare, endangered specimen: a goddamn spine secure.smore.com/n/x03zs-a-me...
I am convinced 99% of websites should use magic links + passkeys.
It bypasses all (debatable) portability objections to passkeys, itโs at least as secure as email-based recovery, as fast as a password manager, itโs available to all usersโฆ and importantly, no passwords!
Safari 18.2 released 3 days ago has HTTPS-first/by-default mode:
"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...
TIL: quokka
periods are such unbelievable bullshit
facebook error
netflix error
okta error
whatsapp error
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Atomic Age style poster of a man on a laptop in a coffee shop using public wi-fi. The coffee cup says Wi-Fi.
Some thoughts on the quiet HTTPS revolution:
medium.com/@boblord/the...
๐
Tag on a childrenโs jacket showing multiple lines to write names, where each name can be removed once the jacket is handed down to another child
Tiny, impeccable design detail: this childrenโs jacket is designed to be a hand-me-down
I caught a full vomit into my hands tonight without a single drop hitting the couch, so maybe I do qualify as a medical professional after all
My colleague @serena.nz gave an amazing PurpleCon talk describing the behind-the-scenes experience of removing the (in?)famous lock icon from Chrome: www.youtube.com/watch?v=iUAx...
One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track ๐คฉ
Could you please remove me? Iโm not a medical professional
ha, very true :)
I seem to have gotten added to some medical starter packs for some reason. If you're following me for medical stuff, sorry, wrong person! Feel free to stick around if you want to answer my random medical questions every time one of my children brings home some weird virus from school.
Bold of you to assume I still havenโt seen Heathers after not asking me whether Iโve seen Heathers yet in at leastโฆ 3 years?
(I still havenโt seen Heathers. Back to Twitter I go, I guessโฆ)
Ok so I guess weโre all doing this app now?
Weโve now established a pattern where Go is the first non-browser stack to implement new TLS features, so we flush out all the bugs Chrome didnโt hit.
Today itโs tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.
Last time it was X.509 SANs.
Somehow on this vacation Iโve ended up in a chicken coop with Ron Rivestโs grandkids
I donโt suppose the meal is a nice breakfast waiting for you when you get up in the morning?
one of these days Iโm going to livetweet my night because it might be the only way to convey how ridiculous nights are in my house. I havenโt even gone to bed yet and kids have woken up a combined total of 4 times already
Iโm on an infinite loop of forgetting where my coffee is and finding it in the microwave
also CAA. but, I think this is subtle; it seems easy for people to go to the other extreme and misunderstand CT to be way more than it is. and it is still true that each CA is still a weak link, just a lot less weak than before
if I were a baby I would simply not vomit all over my momโs bed at 1am
What are the most effective nonprofit orgs working against gun violence / for gun control?
kudos to @dadrian.io for the simpsons reference and to our marketing team for not editing it out
If you, like me, dislike when tiny icons lead to large misconceptions about security, you will be happy to hear that the lock icon in Chrome is going away. Come for the browser security UI news, stay for the perfect Simpson's reference: https://blog.chromium.org/2023/05/an-update-on-lock-icon.html
I have to think on that a bit but doing DV 2x might actually make sense. MTC CAs might be a different policy regime than traditional CAs, e.g. different set of allowed DV methods