Articles I've written

Validity period of HTTPS certificates issued from a user-added CA is essentially 2 years
August 18, 2023

Since 2020, maximum lifetime of HTTPS certificates is limited to 1 year, exactly 398 days. I've previously written about the history and the reasons behind the change. But the reduced lifetime applies only to certificates issued from a public certification authority (CA) added to the operating system's or the browser's trusted root store by the vendor.

(read more…)

Inspecting HTTPS traffic in iOS, on Windows with Fiddler
December 1, 2020 (updated February 9, 2024)

Some time ago, I've change my Google password. That change logged me out of my Google account on my iPad so Photos, Chrome, and other apps were asking again for my password to log me back in. The only problem was that all I could see, was a blank page instead of the Google login form, or just -- (NSURLErrorDomain: -999) error.

(read more…)

My web security training, now available remotely
June 9, 2020

I'm organizing another round of my training, this time remotely. Afternoons, for half of the regular price.

(read more…)

Check TLS certificate revocation with SSL Labs, crt.sh and OpenSSL
March 7, 2020 (updated July 27, 2024)

Browsers mostly don't check whether a HTTPS certificate has been revoked so maybe you'd like to do it manually. There are a few ways how to query an Online Certificate Status Protocol (OCSP) server so let's see some of them. You'll need a browser (and the openssl tool).

(read more…)

Maximum HTTPS certificate lifetime to be 1 year soon
February 21, 2020 (updated September 2, 2020)

In February 2020 at the CA/Browser Forum in Bratislava, Slovakia (and later officially), Apple has announced that starting September 1st, 2020, maximum TLS certificate lifetime in Safari (and probably in the whole macOS and iOS and all apps) will be just 1 year, 398 days exactly. Apple's change has been followed by both Chrome and Mozilla later that year. That's very good news. But why?

(read more…)

I don't use any VPN for security or anonymity
October 23, 2019

NordVPN, a VPN service provider, got hacked some time in 2018. In their official response, they say that only one server was affected due to an insecure remote management system left on the machine by the datacenter provider. Private keys got leaked (bad), some other VPN providers were also breached (bad) but that's not what I want to write about (good) because there are better places to read about it.

(read more…)

Disable TLS 1.0 & 1.1 today
October 16, 2018 (updated March 23, 2021)

Microsoft, Google, Apple & Mozilla announced yesterday that they're removing TLS 1.0 and TLS 1.1 protocols from Internet Explorer, Edge, Chrome, Safari & Firefox browsers in the beginning middle of 2020. Your visitors most probably don't use them already so you can disable them in your server configs today. But let's verify that first using the “Handshake Simulation” tool available in the SSL Labs Server Test.

(read more…)

Browsers are hiding the padlock and it's a Good Thing™
October 15, 2018 (updated October 21, 2023)

Magical properties are often attributed to the padlock icon 🔒 which marks “secure” pages. For example, you'll often hear that the icon indicates trustworthy websites that won't abuse your data and passwords. The padlock is gradually being removed and that's a Good Thing™. But why?

(read more…)

Not secure: Chrome and HTTP websites
July 25, 2018 (updated September 13, 2023)

Chrome started marking all HTTP websites as Not secure yesterday (on my birthday, what a gift!) with their release of Chrome 68. The treatment is not a red warning yet, just a gray (i). And there's a lot of busy czech websites getting that treatment. And how did we get here anyway and what's next?

(read more…)

Last dates for Intro to PHP, Classes & objects in PHP training
October 10, 2017 (updated March 1, 2018)

The time has come and after 6 years I'm closing my public training Introduction to PHP and Classes and objects in PHP, the last round this December. I'm also writing some new courses.

(read more…)

Chrome, ERR_SPDY_PROTOCOL_ERROR, and an invalid HTTP header
August 28, 2017 (updated January 25, 2023)

When migrating your site to a more performant HTTP/2 protocol, it may happen that Chrome will not load a page and will display This site can’t be reached with ERR_SPDY_PROTOCOL_ERROR instead. HTTP/2 is derived from the earlier SPDY protocol, that's probably why the error message doesn't mention HTTP/2 at all. I'll show you how to figure it out with chrome://net-export.

(read more…)

Do you need a TLS/SSL certificate for your website?
August 10, 2017

All articles