All Blog Posts

  • Infrastructure security

Remediating AWS IMDSv1

  • icon Aug 11, 2021
  • icon 15 minutes read
  • icon 3007
2024-12-17 Updated to include Declarative Policies Compute resources in AWS (e.g. EC2 instances, ECS tasks/services, etc.) get access to AWS credentials, such as temporary instance role credentials, via the Instance Metadata Service (IMDS). The …
Read more
  • Sales enablement
  • Risk & compliance

The SOC2 Starting Seven

  • icon Mar 12, 2020
  • icon 17 minutes read
  • icon 3599
So, you plan to sell your startup’s product to big companies one day. Congratu-dolences! Really, that’s probably the only reason you should care about this article. If that’s not you, go forth and live your life! We’ll ask no more of your time. For …
Read more

Stop Using Encrypted Email

  • icon Feb 19, 2020
  • icon 8 minutes read
  • icon 1700
Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email. Technologists hate this …
Read more
  • Cryptography

How (not) to sign a JSON object

  • icon Jul 24, 2019
  • icon 12 minutes read
  • icon 2363
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The …
Read more

The PGP Problem

  • icon Jul 16, 2019
  • icon 15 minutes read
  • icon 3030
Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they …
Read more
  • Cryptography

Analyzing a simple encryption scheme using GitHub SSH keys

  • icon Sep 30, 2018
  • icon 6 minutes read
  • icon 1185
(This is an introductory level analysis of a scheme involving RSA. If you’re already comfortable with Bleichenbacher oracles you should skip it.) Someone pointed me at the following suggestion on the Internet for encrypting secrets to people based on …
Read more