I couldn’t find a good free tool to monitor SSL certificate expiry, so I wrote a simple Bash script.
Open source and easy to use - your data stays local.
https://paulsorensen.io/cert-expiry-bot-script/
#devops #sysadmin #opensource #tls #ssl #privacy

LibreSSL 4.1.0 released https://www.undeadly.org/cgi?action=article;sid=20250430112153 #openbsd #libressl #ssl #tls #security #openssl #networking #privacy #crypto #cryptography

Experience sessions like this live at SharkFest'25 US, happening June 14–19 in Richmond, VA. Join industry experts and fellow enthusiasts for hands-on labs, in-depth lectures, and unparalleled networking opportunities.​

https://www.youtube.com/watch?v=Cq6yj9se9M4

Secure your spot today: https://sharkfest.wireshark.org/sfus

Ooh, what’s this?… Look Over There!
(With apologies to Jaida Essence Hall)

So the little app I teased earlier is ready and deployed and I have our own instance running at:

https://look-over-there.small-web.org

Look Over There! lets you forward multiple domains to different URLs with full HTTPS support.

Why?

We have a number of older sites that are becoming a chore/expensive to maintain and yet I don’t want to break the web. So I thought, hey, I’ll just use the “url forwarding” feature of my domain registrar to forward them to their archived versions on archive.org.

Ah, not so fast, young cricket… seems some domain registrars’ implementations of this feature do not work if the domain being forwarded is accessed via HTTPS (yes, in 2025).

So, given Kitten¹ uses Auto Encrypt² to automatically provision Let’s Encrypt certificates, I added a domain forwarding feature to it and created Look Over There! as a friendly/simple app that provides a visual interface to it.

To see it in action, hit https://cleanuptheweb.org and you should get forwarded to the archived version of it on archive.org. I’m going to be adding more of our sites to the list in the coming days as part of an effort to reduce my maintenance load and cut down our expenses at Small Technology Foundation.

Since it’s Small Web, this particular instance is just for us. However, you can run your own copy on a VPS (or even a little single-board computer at home, etc.) A link to the source code repository is on the site. Once Domain³ is ready for use (later this year ), setting up your own instance of a Small Web app at your own server will take less than a minute.

I hope this little tool, along with the 404→307 (evergreen web) technique⁴, helps us to nurture an evergreen web and avoid link rot. (And the source code, as little as there is because Kitten does so much for you, is a good resource if you want to learn about Kitten’s new class-based component and page model which I haven’t yet had a chance to properly document.)

Enjoy!

¹ https://kitten.small-web.org
² https://codeberg.org/small-tech/auto-encrypt
³ https://codeberg.org/domain/app
⁴ https://4042307.org

Chatter: The Stealthy Chat System That Bypasses Firewalls

Discover Chatter, an innovative chat platform designed to mimic TLS 1.2 traffic while maintaining stealth and security. This article dives deep into its architecture, features, and the alarming implic...

https://news.lavx.hu/article/chatter-the-stealthy-chat-system-that-bypasses-firewalls

OpenSSL 3.5 is available now and will be supported until April 2030
https://www.admin-magazine.com/News/OpenSSL-3.5-Released?utm_source=mam
#OpenSSL #QuantumComputing #PQC #TLS #QUIC

TLS Certificate Lifetimes Will Officially Reduce to 47 Days, by (not found on Mastodon or Bluesky):

https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Don't trust security check websites.
I just went through 10 online #TLS checkers from <https://techarry.com/top-ssl-tls-testing-tools-open-source-online-scanners/>, and only 2 of them (<https://testtls.com/> and <https://www.ssllabs.com/ssltest/>) even managed to scan the #IPv6-only site I was scanning. For all the others: How do you expect to run a comprehensive test when you can't even resolve half the addresses?

OH: „Techno Layer Security“

Just had cause to look at https://tls13.xargs.org again.
It's a super-detailed explainer of every element of a TLS1.3 connection - and answered my in-the-weeds question in ~60 seconds!

Here's a clarified write up of that SSL.com bug. I think email DCV should die a fiery death, but this isnt an email vuln its just sloppy work. how is such poor dev and testing acceptable for a CA in 2025?
#tls #certificates
https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/

Die maximale Laufzeit von digitalen Zertifikaten für verschlüsselte Verbindungen zu Web- und anderen Servern wird sich künftig drastisch verkürzen. Im Jahre 2029 sind diese statt mit 398 Tagen nur noch mit 47 Tagen Laufzeit ausgestattet.

Zum Artikel: https://heise.de/-10352867?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

happened early April, but worth sharing. Certs will only have 47 days of validity by 2029. validity lengths will progressively get shorter from march 2026 until then. Reusing domain validation material will be limited to 10 days.

IMO this is a very good thing.

this is diff to the very short validity certs that can be issued now. Lets Encrypt will offer 6 day certs by end of yr

https://github.com/cabforum/servercert/compare/b7fd69b36171d81930e7758482984ce957a1ce7a...abf6c4e3845040069672d58cd2dd80ede8f42012

Dass es im Jahr 2025 immer noch Firmen gibt, die mit "Deine Daten werden verschlüsselt per SSL übertragen." oder ähnlichem werben, um irgendwie Sicherheit zu suggerieren ... ich hoffe doch sehr stark, dass die Übertragung NICHT per SSL erfolgt, sondern per TLS.

How TCP really works: Top 3 things you need to know!

YouTube video with the amazing Chris Greer: https://youtu.be/Auwn3RWapRE

Beschlossen: Lebensdauer für #TLS-Serverzertifikate sinkt auf 47 Tage | Security https://www.heise.de/news/47-Tage-CAs-und-Browserhersteller-beschliessen-kuerzere-Laufzeit-fuer-Zertifikate-10352867.html

https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.

The maximum certificate lifetime is going down:

- As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
- As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

Nur noch 47 Tage:

#Gültigkeit von #TLS - #Zertifikaten wird drastisch verkürzt

Ab 2029 dürfen #TLS-Zertifikate statt 398 nur noch höchstens 47 Tage lang gültig sein. Der von #Apple eingereichte Vorschlag hat breite Zustimmung erhalten.

Das #CA / #Browser #Forum hat beschlossen, die maximale Gültigkeitsdauer digitaler Zertifikate für den verschlüsselten Datenaustausch via #SSL / #TLS von aktuell 398 auf deutlich geringere 47 Tage zu reduzieren.

https://www.golem.de/news/nur-noch-47-tage-gueltigkeit-von-tls-zertifikaten-wird-drastisch-verkuerzt-2504-195416.html

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/