Profile avatar
filippo.abyssdomain.expert
RC F'13, F2'17 Cryptogopher / Go cryptography maintainer Professional open source maintainer https://filippo.io / https://github.com/FiloSottile https://mkcert.dev / https://age-encryption.org https://sunlight.dev / https://filippo.io/newsletter
1,400 posts 20,553 followers 471 following
Regular Contributor
Active Commenter
Posts 20 Comments 30

gopls v0.18.0 quietly released a new "modernize" tool which automatically adjusts your #golang code to use newer std APIs and language features! modernize -fix ./... For example: range over int, min and max, slices APIs like Contains or Delete. github.com/golang/tools...

submitted 1 day ago • 4 comments

I appreciate this response from Ed Yong on why he requests that people mask at his events. www.nytimes.com/2025/02/22/m...

submitted 2 days ago • 36 comments

It works! Beyond passkeys, I can encrypt a file in the browser with typage and WebAuthn, and then decrypt it with the same YubiKey from the CLI with age-plugin-fido2prf. README: github.com/FiloSottile/ty… PR: github.com/FiloSottile/ty…

submitted 2 days ago • 4 comments

I can now invoke EFI Boot Services and jump to Linux. The shell interface is 520 LOC, the EFI driver is 160 LOC. I cannot emphasize enough how productive, lean and efficient is bare metal Go to develop this. Next up Console I/O so that I can boot this on real hardware.

submitted 6 days ago • 1 comment

Unexpected benefit of a pilot license: can switch on the radio voice and NATO spell a long international address on the phone with the bank’s fraud department.

submitted 6 days ago • 12 comments

We got so much done in cryptography for Go 1.24. I want to write an article for filippo.io/newsletter about it, but it needs at least three spin-off articles not to become a 10000 word piece.

submitted 8 days ago • 1 comment

I just realized we can finally deprecate the ecdsa.PublicKey X and Y big.Int fields once NewPublicKey and PublicKey.Bytes land! If you use them for ECDSA or ECDH and can't migrate to NewPublicKey/Bytes or crypto/ecdh, now is the time to let us know. (If you use them for exotic things, use nistec.)

submitted 8 days ago • 0 comments

JOSE and JWK are so bad that they are infectious. Their bespoke and low level key encoding puts pressure on libraries to expose dangerous APIs instead of just parsing and validating byte slices into opaque types. (Yes, I’m a bit miffed, why do you ask?)

submitted 8 days ago • 3 comments

@tigrisdata.com Looks like the @fly.io IAD outage is affecting Tigris GETs, but there’s nothing on status.tigris.dev. It would be useful to have something to point to for the post mortem.

submitted 9 days ago • 0 comments

This is a fascinating vulnerability. The root causes are implementing deterministic signatures instead of hedged, using a general purpose big number implementation, and leaking its API at the crypto layer. JavaScript types are a red herring, could have happened in any language.

submitted 9 days ago • 4 comments

A new advisory that affects deterministic ECDSA signing in elliptic, which was used in MetaMask. github.com/indutny/elli...

submitted 9 days ago • 3 comments

Ooooh this is an excellent application of Privacy Pass, the anonymous credential scheme we originally designed to ameliorate the pain of Cloudflare CAPTCHAs on Tor. Authenticate with a paid account to obtain tokens, then anonymously redeem them to make unlinkable searches.

submitted 11 days ago • 2 comments

🥳 Go 1.24.0 is released! 📰 Release notes: go.dev/doc/go1.24 📦 Download: go.dev/dl/#go1.24.0 #golang

submitted 13 days ago • 3 comments

Helped a friend a bit to make a #golang concurrent version of the excellent age stream format by @filippo.abyssdomain.expert Check it out if it sounds interesting: github.com/bifrosta/age...

submitted 15 days ago • 1 comment

Found *another* way HKDF is FIPS 140 compliant: you can use HKDF-Extract without HKDF-Expand as part of a key agreement if you call it KDA OneStepNoCounter per Implementation Guidance D.P. We’re now CAVP testing HKDF in the Go FIPS module under four (4) names. words.filippo.io/dispatches/f...

submitted 15 days ago • 1 comment

Adding to the list of things my flagship $1200 Surface laptop can’t do without a $150 upsell: - run virtual machines with Hyper-V - provide access with Remote Desktop - and of course install Windows without an account Pretty sure my MacBook Air M1 can do all that.

submitted 18 days ago • 5 comments

There's a kinda fun bug in the Go 1.24 RCs. Here's an example of using weak pointers to modify what should be an immutable string, without using the unsafe package: go.dev/play/p/IPJE6... I ended up nerd sniped by it and sent a fix: github.com/golang/go/co...

submitted 18 days ago • 1 comment

I keep coming across all these "pseudocode" examples on Wikipedia and in academic papers, and what I don't understand is why the authors can't just learn a real programming language

submitted 18 days ago • 14 comments

Congratulations to the Firefox team for shipping CT enforcement! > Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms. groups.google.com/a/mozilla.or...

submitted 20 days ago • 1 comment

I've put together a webpage that renders the ePrint author list I maintain for @eprint.bsky.social. It's a separate website to enable listing by the author name used in papers, rather than the Bluesky display name or handle.

submitted 23 days ago • 0 comments