Lucene search
K
FilippoioMost viewed

106 matches found

Filippo.io
Filippo.io
added 2026/01/05 8:6 p.m.8 views

go.sum Is Not a Lockfile

I need everyone to stop looking at go.sum, especially to analyze dependency graphs. It is not a “lockfile,”1 and it has zero semantic effects on version resolution. There is truly no use case for ever parsing it outside of cmd/go. go.sum is only a local cache for the Go Checksum Database. It’s a...

7AI score
Exploits0
Filippo.io
Filippo.io
added 2025/12/19 2:3 p.m.8 views

Building a Transparent Keyserver

Today, we are going to build a keyserver to lookup age public keys. That part is boring. What’s interesting is that we’ll apply the same transparency log technology as the Go Checksum Database to keep the keyserver operator honest and unable to surreptitiously inject malicious keys, while still...

6.5AI score
Exploits0
Filippo.io
Filippo.io
added 2025/08/13 3:50 p.m.8 views

Cross-Site Request Forgery

Cross-Site Request Forgery CSRF is a confused deputy attack where the attacker causes the browser to send a request to a target using the ambient authority of the user’s cookies or network position.1 For example, attacker.example can serve the following HTML to a victim and the browser will send ...

6.5AI score
Exploits0
Filippo.io
Filippo.io
added 2025/10/10 2:33 p.m.7 views

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises

Lack of memory safety is such a predominant cause of security issues that we have a responsibility as professional software engineering to robustly mitigate it in security-sensitive use cases—by using memory safe languages. Similarly, I have the growing impression that software supply chain...

6.3AI score
Exploits0
Filippo.io
Filippo.io
added 2025/07/31 4:55 p.m.7 views

Go Assembly Mutation Testing

While maintaining and developing the Go cryptography standard library, we often spend significantly more time on testing than on implementation. That’s good and an important part of how we achieve our excellent security track record. Ideally, this would be especially true for the least safe parts...

7.4AI score
Exploits0
Filippo.io
Filippo.io
added 2024/09/25 8:42 p.m.7 views

The FIPS Compliance of HKDF

HKDF is an HMAC-based key-derivation function specified in RFC 5869. It’s nice and we generally like using it. FIPS Federal Information Processing Standards is used generally as a moniker for the set of standards, recommendations, and guidance published by the U.S. National Institute of Standards...

7.3AI score
Exploits0
Total number of security vulnerabilities106