106 matches found
Professional maintainers: a wake-up call
I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies. Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source...
Playing with kernel TLS in Linux 4.13 and Go
Linux 4.13 introduces support for nothing less than... TLS! The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel. The only ciphersuite supported is AES-128-GCM as per RFC 5288, meaning it...
rustgo: calling Rust from Go with near-zero overhead
русский Go has good support for calling into assembly, and a lot of the fast cryptographic code in the stdlib is carefully optimized assembly, bringing speedups of over 20 times. However, writing assembly code is hard, reviewing it is possibly harder, and cryptography is unforgiving. Wouldn't it ...
The complete guide to Go net/http timeouts
I got an occasion to do a deep dive into net/http recently, and wrote a post about all the different timeouts you can set on the client and server side. How they work, how they interact and how to use them. The complete guide to Go net/http timeouts | CloudFlare Blog archive...
The Linux CSPRNG Is Now Good!
Oceans of ink and hours on stage have been spent to convince the world that the best random number generator is /dev/urandom, the kernel one. And it is, and its always been. However, an uncomfortable truth was that the Linux CSPRNG really could have been better than it was. Userspace CSPRNGs...
Touch-to-operate password-store with YubiKey 4
There are dozens of tutorials on how to fight GnuPG to use YubiKeys for everything, but my favorite overlooked feature of the YubiKey 4 is "touch to operate", where each cryptographic operation takes a physical touch of the gold surface. That pairs particularly well with password-store, a PGP...
Automatic Cipher Suite Ordering in crypto/tls
This is the first article I wrote for the Go blog !! about how TLS cipher suites configuration got so complicated, and how weve made it way easier in Go 1.17. The Go standard library provides crypto/tls, a robust implementation of Transport Layer Security TLS, the most important security protocol...
Easy Windows and Linux cross-compilers for macOS
tl;dr: you can install cross-compiler toolchains to compile C/C++ for Windows or Linux from macOS with these two Homebrew Formulas. brew install FiloSottile/musl-cross/musl-cross brew install mingw-w64 Cross-compiling C and C++ is dreadful. While in Go you just need to set an environment variable...
We need to talk about Session Tickets
More specifically, TLS 1.2 Session Tickets. Session Tickets, specified in RFC 5077, are a technique to resume TLS sessions by storing key material encrypted on the clients. In TLS 1.2 they speed up the handshake from two to one round-trips. Unfortunately, a combination of deployment realities and...
restic cryptography
tl;dr: this is not an audit and I take no responsibility for your backups, but I had a quick look at the crypto and I think I'm going to use restic for my personal backups. I keep hearing good things about restic. I am redoing my storage solution, and restic seems to tick all the boxes for my...
Vulnerability Reports Are Not Special Anymore
A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all. Except… For years, as lead of the Go Security team at the...
The Reciprocal Value of Access to Maintainers
Last May I left Google to build a more sustainable model for Open Source maintenance. After a summer break, I resumed my maintenance work on the Go project in September, and I started offering my services to companies that rely on Go. My vision is that of Open Source maintenance as a real...
Re-Deriving the edwards25519 Decoding Formulas
A lot of my job is implementing specifications, and sometimes in a crypto spec youll encounter something like this p+3/8 3 p-5/8 x = u/v = u v u v^7 mod p and what you do is nod, copy it into a comment, break it down into a sequence of operations, and check that the result matches a test case.1...
Making a Gmail bot with Apps Script and TypeScript
Google Apps Script is one of the best hidden features of Gmail. Did you ever want just a bit more flexibility from a filter? Maybe the ability to remove a label, or match on a header, or just decide the order they are applied in. Apps Script can do all that and then some. They are simple JavaScri...
Setting a custom FileVault (macOS FDE) passphrase
FileVault 2 is the full-disk encryption system of macOS. Normally, it's turned on from System Preferences, and locks the disk with the passwords of all the users allowed to unlock the machine. Overloading the login/unlock/sudo password is an understandable UX simplicity choice, but makes it very...
XAES-256-GCM
About a year ago I wrote that “I want to use XAES-256-GCM/11, which has a number of nice properties and only the annoying defect of not existing.” Well, there is now an XAES-256-GCM specification. Had to give up on the /11 part, but that was just a performance optimization. XAES-256-GCM is an...
How to pay professional maintainers
I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies. In a previous essay, Professional maintainers: a wake-up call, I argued that we need Open Source maintainers to professionalize into a role thats legibl...
Registries Considered Harmful
Cryptographic protocols and specifications often come with registries that map numeric or string identifiers to algorithms or suites. Something like this. 1 RSA-PSS-SHA256 2 RSA-PSS-SHA512 3 ECDSA-P256-SHA256 4 ECDSA-P521-SHA512 5 Ed25519 ... Youll find them everywhere. TLS, X.509, SSH, PGP, you...
The scrypt parameters
The recommended scrypt parameters in the Go docs were recently brought up for discussion given they havent changed since 2009. Even if at this point I memorized the three numbers N=16384, r=8, p=1 I only have a vague understanding of their meaning, so I took some time to read the scrypt paper. It...
Cleaning up my GOPATH with Homebrew
tl;dr: use the script at the bottom to go get into the Homebrew "Cellar" and keep your GOPATH clean. I personally like GOPATH and import paths, but while trying to reduce my laptop to a thin reproducible client, I felt the pain of keeping track of the hundreds of repositories that end up in there...
TLS 1.3 at 33c3
Nick Sullivan and I gave a talk about TLS 1.3 at 33c3, the latest Chaos Communication Congress. Here's the Fahrplan entry. We spoke about the flow of TLS 1.2 vs. TLS 1.3, how it manages to save a round trip, resumption and 0-RTT, forward secrecy and replays, all the things that were removed, all...
Securing a travel iPhone
These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order. I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus...
I want XAES-256-GCM/11
In 2023, the way to use AES is AES-GCM. Anything else is very unlikely to make sense. We might not like that, we might wish OCB hadn't been patented, but with hardware support in most processors these days GCM is both faster than the alternatives, ubiquitous, and just tolerable to implement. Stil...
Is X25519 Associative? Sometimes!
X25519 is a simple Elliptic Curve Diffie-Hellman ECDH function: it takes a scalar a fancy name for an integer1 and an elliptic curve point, and it multiplies the elliptic curve point by the scalar. Point additions and multiplications work modulo the order of the point, just like hours on a watch...
Reproducing Go binaries byte-by-byte
Fully reproducible builds are important because they bridge the gap between auditable open source and convenient binary artifacts. Technologies like TUF and Binary Transparency provide accountability for what binaries are shipped to users, but that's of limited utility if there is no way short of...
Benchmarking RSA Key Generation
RSA key generation is both conceptually simple, and one of the worst implementation tasks of the field of cryptography engineering. Even benchmarking it is tricky, and involves some math: here’s how we generated a stable but representative “average case” instead of using the ordinary statistical...
Let’s All Agree to Use Seeds as ML-KEM Keys
Last week, NIST published the final version of the ML-KEM1 specification, FIPS 203. One change from the draft is that the final document explicitly allows storing the private decapsulation key as a seed. This is a plea to the cryptography engineering community: let’s all agree to only use seeds a...
age Plugins
age is a file encryption tool, library, and format. It lets you encrypt files to “recipients” and decrypt them with “identities”. $ age-keygen -o key.txt Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p $ tar cvz /data | age -r...
A GC-Friendly Go Interning Cache
Ive seen a little gem pass by in a Go cryptography code review and I want to share it because I think its a pattern that can be reused. Lets start with a problem statement: crypto/x509 Certificate values take a bunch of memory, and for every open TLS connection you end up with a copy of the leaf...
How to protect yourself from the WebEx extension
On Monday, Tavis Ormandy of Project Zero revealed that the Cisco WebEx Chrome extension 20M users has a critical vulnerability. OMFG🔥 The WebEx Chrome extension has a trivial code execution vulnerability: any website could just install malware on your machine silently -- Filippo Valsorda...
The 2025 Go Cryptography State of the Union
This past August, I delivered my traditional Go Cryptography State of the Union talk at GopherCon US 2025 in New York. It goes into everything that happened at the intersection of Go and cryptography over the last year. You can watch the video with manually edited subtitles, for my fellow subtitl...
Geomys, a blueprint for a sustainable open source maintenance firm
In 2022, I left Google in search of a sustainable approach to open source maintenance. A year later, I was a full-time independent professional open source maintainer. Today I’m announcing the natural progression of that experiment: Geomys,1 a small firm of professional maintainers with a portfol...
Reconstruct Instead of Validating
Project Zero dropped a great bug in Vault which I think would have been prevented by one of the lessons learned of cryptography engineering: when you can, always prefer reconstructing a value rather than parsing and validating it. You should read the blog post to understand the attack first,...
NaCl Is Not a High-Level API
When talking about high-level application cryptography APIs I usually hear mentioned libsodium, Tink, pyca/cryptography, and NaCl. One of these things is not like the others! The value NaCl had 10 years ago was that it was an opinionated library at a time when all cryptography libraries were...
I'm giving up on PGP
After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the lon...
The Geomys Standard of Care
One of the most impactful effects of professionalizing open source maintenance is that as professionals we can invest into upholding a set of standards that make our projects safer and more reliable. The same commitments and overhead that are often objected to when required of volunteers should b...
We need to talk about Session Tickets
More specifically, TLS 1.2 Session Tickets. Session Tickets, specified in RFC 5077, are a technique to resume TLS sessions by storing key material encrypted on the clients. In TLS 1.2 they speed up the handshake from two to one round-trips. Unfortunately, a combination of deployment realities and...
Reproducing Go binaries byte-by-byte
Fully reproducible builds are important because they bridge the gap between auditable open source and convenient binary artifacts. Technologies like TUF and Binary Transparency provide accountability for what binaries are shipped to users, but that's of limited utility if there is no way short of...
TLS nonce-nse
Starting a series of blog posts on TLS 1.3, I published my notes on the landscape of cipher nonces in TLS across versions, to help me clean up the implementation. Comes with hand-drawn diagrams! TLS nonce-nse | CloudFlare Blog archive...
Maintainers of Last Resort
Geomys is an organization of professional open source maintainers, focused on a portfolio of critical Go projects. For example, we are two thirds of the Go standard library cryptography maintainers, we provide the FIPS 140-3 validation of the upstream Go Cryptographic Module, and we fund the...
New Crypto in Go 1.14
Go 1.14 is out and with it come a few nice updates to crypto/tls! Will this certificate work? Certificate selection in TLS1 is a mess. I was going to try and describe it here to make the point, but I kept getting it wrong and it was even too messy for something just meant to make the point that i...
A Cryptography Engineer’s Perspective on Quantum Computing Timelines
My position on the urgency of rolling out quantum-resistant cryptography has changed compared to just a few months ago. You might have heard this privately from me in the past weeks, but it’s time to signal and justify this change of mind publicly. There had been rumors for a while of expected an...
You Should Run a Certificate Transparency Log
Hear me out. If you are an organization with some spare storage and bandwidth, or an engineer looking to justify an overprovisioned homelab, you should consider running a Certificate Transparency log. It’s cheaper, easier, and more important than you might think. Certificate Transparency CT is on...
Turn Dependabot Off
Dependabot is a noise machine. It makes you feel like you’re doing work, but you’re actually discouraging more useful work. This is especially true for security alerts in the Go ecosystem. I recommend turning it off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck...
Claude Code Can Debug Low-level Cryptography
Over the past few days I wrote a new Go implementation of ML-DSA, a post-quantum signature algorithm specified by NIST last summer. I livecoded it all over four days, finishing it on Thursday evening. Except… Verify was always rejecting valid signatures. $ bin/go test crypto/internal/fips140/mlds...
Accumulated Test Vectors
I like tests. I especially like reusable test vector libraries. Sometimes test vectors are lovingly handcrafted to target obscure edge-cases. Those vectors belong in Wycheproof or with the upstream specification. Sometimes though vectors are produced by sheer brute force. Enumerate every possible...
So you want to expose Go on the Internet
I was asked to contribute a post to the excellent Gopher Academy advent series. I took the occasion to write down what I learned deploying a Go service on the Cloudflare edge. The result is a catalogue of what you need to know before you drop NGINX from in front of your Go server. The net/http pa...
Quantum Computers Are Not a Threat to 128-bit Symmetric Keys
The advancing threat of cryptographically-relevant quantum computers has made it urgent to replace currently-deployed asymmetric cryptography primitives—key exchange ECDH and digital signatures RSA, ECDSA, EdDSA—which are vulnerable to Shor’s quantum algorithm. It does not, however, impact existi...
Inspecting the Source of Go Modules
Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go client in the world is using the same source for a given Go module and version, forever. It works despite the decentralized nature of Go modules, which can...
Encrypting Files with Passkeys and age
Typage age-encryption on npm is a TypeScript1 implementation of the age file encryption format. It runs with Node.js, Deno, Bun, and browsers, and implements native age recipients, passphrase encryption, ASCII armoring, and supports custom recipient interfaces, like the Go implementation. However...