Encrypted Client Hello is now RFC 9849
This RFC defines an extension to Transport Layer Security that improves privacy for web users. Huge team effort and a win for the internet at large. Now to get deployment up...
Some words I wrote about this for @cdt.org: cdt.org/insights/enc...
I put together a job site for cryptography roles. It's in alpha, so please send me your bugs!
jobs.cryptography.consulting
USENIX Enigma has published its CFP for 2026: www.usenix.org/conference/u...
Submissions are due March 31, 2026. Looking forward to seeing many of you this year.
Iβm happy to be joining the USENIX Security β26 Enigma organizing committee this year, after having the chance to speak at Enigma three times. It has a long history as a home for early, practice-driven security ideas, often where work first gets aired before itβs fully polished or widely deployed.
Software has eaten the world. Banks, hospitals, power grids, planes. If the ground liquefies, everything built on it sinks. We're not talking about bad code anymore. We're talking about infrastructure failure at scale.
Liquefaction is what happens when shaking meets saturated ground. The soil loses structure and behaves like liquid. Buildings sink. In software: unverified code + relentless velocity + strained review = a codebase that can't hold weight.
And verification doesn't scale for free. 38% say reviewing AI code takes *more* effort than human code. Werner Vogels calls this verification debt. It compounds silently until something breaks.
π buildwithaws.substack.com/p/werner-vog...
Same survey: 96% of devs don't fully trust AI output. But only 48% say they always verify before committing. That gap is where bugs live. That gap is where security dies.
π www.sonarsource.com/company/pres...
Here's where it gets uncomfortable. Devs now say ~42% of their code is AI-generated. Projected to hit 65% by 2027. The codebase is becoming porous.
π www.sonarsource.com/company/pres...
AI isn't coming; it's already in the pipes. Over 1.1M public repos now depend on an LLM SDK. Almost 700K of those appeared in the last 12 months alone. +178% YoY.
π github.blog/news-insight...
Forget counting lines. Watch the flow. GitHub saw 518M pull requests merged in 2025, up 29% from the year before. That's not growth, that's a flood.
π github.blog/news-insight...
Software Heritage archived over 22 billion unique source files by end of 2024. That's just public code they could find. The real number is unknowable, and growing faster than anyone can track.
π annex.softwareheritage.org/public/annua...
Here's the scale we're dealing with: roughly 2.8 trillion lines of code written in the last 20 years. A huge chunk of that? Just the last two. The acceleration is the story.
π medium.com/modern-stack...
AI coding is an earthquake for software security. Not a tremor. The kind that liquefies the ground beneath your feet. We're mid-shake and most people are still debating if it's real.
π github.blog/news-insight...
Registration for Real World Crypto 2026 is now open! rwc.iacr.org/2026/registr...
Also, sign up for my upcoming mailing list! Occasional, high-signal updates: tally.so/r/2EBz4D
News! Iβll be joining the Internet Architecture Board(IAB) starting March 2026 at IETF 125 in Shenzhen(Iβll be participating remotely).
The IAB is part of the IETF ecosystem. It looks across Internet protocol work to provide architecture-level oversight and help keep the standards process healthy.
CDTβs @npdoty.techpolicy.social.ap.brid.gy and Visiting Fellow @nicksullivan.org joined a UN OHCHR workshop in Madrid with engineers, industry, and civil society to explore how technical standards affect internet usersβ human rights. Read their recap of the event:
At #IETF124 in MontrΓ©al @ietf.org last month I gave a talk about Measuring & Understanding ECH deployments as @ooni.org.
ECH is becoming a Frontline for whether the Internet remains Open, Private, and Resilient.
We need to Document Censorship, to Protect our Internet.
πΉ youtu.be/OmBNQKZtO3Q
The βcosmic-ray bit-flipβ thing actually being real and serious enough to recall every A320 on the planet was not on my 2025 bingo card.
This is an obvious but important result, but I'm not a fan of this characterization of poisoning as an attack. There are legitimate reasons to poison, especially if you consider an AI company to be the malicious party rather than the victim.
www.anthropic.com/research/sma...
Session 2 of the ARMOR side meeting starts today at 4 PM EST. Weβll be digging into next steps and shaping where this work goes next.
Agenda: trello.com/c/p4fjRkcl
Slides: github.com/grittygrease...
Join the list: mailman3.irtf.org/mailman3/lis...
The first ARMOR meeting was a success with 4 great presentations on different aspects of real-world protocol resilience by @vinifortuna.com , Brien Colwell, @distributeddave.bsky.social , and @hellais.bsky.social.
New guest post from CDT Visiting Fellow & IETF expert @nicksullivan.org: Encrypted Client Hello (ECH) closes the final major privacy gap in HTTPS by encrypting the Server Name Indication (SNI) β a milestone for online privacy. π Read more:
Today is Global Encryption Day hosted by Global Encryption Coalition.
Check it out here: www.globalencryption.org/2025/07/glob...
The SplinterCon conference about the splintering Internet is coming up in Paris early December and has opened its call for presentations. Itβs a great venue for early ideas in security, networking, and cryptography. Deadline: Oct 31, 2025. Apply here: splintercon.net/paris-partic...
Honored to be nominated for the Internet Architecture Board (IAB) for 2026β27. The IAB sets the Internetβs long-term technical direction and oversees the RFC Series and the IETF/IRTF. Feedback to the nominating committee is welcome: datatracker.ietf.org/nomcom/2025/..., I'd appreciate it!
At IETF124, the CFRG (where I co-chair) is testing a new session format: the first slot for new work and informational presentations, the second for consensus and advancing drafts. MLS (secure messaging) is also finalizing its extensions framework.
Full Agenda: datatracker.ietf.org/meeting/124/...
My new explainer with @cdt.org covers how ECH closes one of the last major metadata gaps in HTTPS by making hostnames private. Itβs been approved as an Internet Standard and is close to getting an RFC number: cdt.org/insights/enc...
We are hosting a side meeting for the ARMOR mailing list on Nov 3 at 19:00 EST (Duluth Room). Weβll be discussing how to make network protocols resilient in adversarial environments. Remote attendance welcome via WebEx: trello.com/c/8hhaa23A
