Andrew Ayer's Avatar

Andrew Ayer

@agwa.name

Bootstrapped founder of SSLMate (https://sslmate.com). Making SSL certificates easier and doing #WebPKI and #CertificateTransparency research on the side. Blog: https://www.agwa.name He/him

206
Followers 67
Following 9
Posts 30.03.2024
Joined
Posts Following

Latest posts by Andrew Ayer @agwa.name

Why IP Address Certificates Are Dangerous and Usually Unnecessary Unless you're operating a DNS-over-TLS or DNS-over-HTTPS resolver, you should not use IP address certificates.

New blog post: Why IP Address Certificates Are Dangerous and Usually Unnecessary www.agwa.name/blog/post/ip...

19.02.2026 14:16 ๐Ÿ‘ 1 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0

Add GoDaddy (shocker, i know) to that list of CAs. A relative reached out to me for help because their biz website was getting flagged in Safari. New SSL cert issued by GoDaddy on 12/22 and one of the SCTs on the cert is for Digicert Sphinx 2027h1.

04.01.2026 16:25 ๐Ÿ‘ 1 ๐Ÿ” 1 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Certificate Authorities Are Once Again Issuing Certificates That Don't Work I've detected 16 CAs issuing certificates which rely on CT logs that are not recognized by all browsers

New blog post: Certificate Authorities Are Once Again Issuing Certificates That Don't Work
www.agwa.name/blog/post/ca...

10.12.2025 19:19 ๐Ÿ‘ 5 ๐Ÿ” 3 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0

Integrating with Google Cloud is a pick 2 of 3 situation:

1. No long-lived keys
2. Easy setup
3. Safe from suspension

I'm really disappointed in Google for artificially disincentivizing the secure options. 4/4

03.11.2025 14:49 ๐Ÿ‘ 2 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0

Alternative one is have the customer create a service account and share a key with SSLMate - easy but less secure because long-lived keys are bad.

Alternative two is OpenID Connect which is secure but Google has made unnecessarily hard to set up. 3/4

03.11.2025 14:49 ๐Ÿ‘ 2 ๐Ÿ” 0 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0

SSLMate's solution (we create a service account for each customer) is easy AND secure and worked great for 5 years until we started getting hit with suspensions. 2/4

03.11.2025 14:49 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0
Google Just Suspended My Company's Google Cloud Account for the Third Time

Google just suspended SSLMate's Google Cloud account for the third time: www.agwa.name/blog/post/go...

The obvious fail is Google's trigger-happy account suspensions, but the more important fail is that Google is disincentivizing the secure options for cross-provider access with Google Cloud. 1/4

03.11.2025 14:49 ๐Ÿ‘ 5 ๐Ÿ” 2 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0
I'm Independently Verifying Go's Reproducible Builds Introducing Source Spotter, a Go Checksum Database auditor and Go toolchain reproducer

New blog post: I'm Independently Verifying Go's Reproducible Builds: www.agwa.name/blog/post/ve...

29.10.2025 18:06 ๐Ÿ‘ 29 ๐Ÿ” 7 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0
SQLite's Durability Settings are a Mess Is SQLite durable by default? What settings guarantee durability? The documentation and even comments from its creator give conflicting answers.

New blog post: SQLite's Durability Settings are a Mess www.agwa.name/blog/post/sq...

29.08.2025 16:49 ๐Ÿ‘ 3 ๐Ÿ” 1 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
ca-certificates bundle incorrectly excludes root CAs with CKA_NSS_SERVER_DISTRUST_AFTER (#6) ยท Issues ยท alpine / ca-certificates ยท GitLab The build script in ca-certificates incorrectly omits CA roots with a "DistrustAfter" attribute. See this fix in curl: https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c#diff...

Turns out Alpine Linux has a copy of the same script from curl! I've raised an issue in their issue tracker: gitlab.alpinelinux.org/alpine/ca-ce...

07.01.2025 10:16 ๐Ÿ‘ 3 ๐Ÿ” 1 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
The Entrust Distrust Will Be More Disruptive Than Intended Non-browser clients don't properly handle the Distrust After date

I recently investigated how the Entrust distrust would be unintentionally disruptive to non-browser clients: sslmate.com/blog/post/en...

Good news since then: curl has fixed their CA bundle generator, a fix is pending for mkcert.org, and python-certifi is pausing releases until mkcert is fixed!

25.11.2024 21:02 ๐Ÿ‘ 5 ๐Ÿ” 2 ๐Ÿ’ฌ 1 ๐Ÿ“Œ 0