David Adrian
@dadrian.io
Used to do TLS, still kind of do TLS. PM at Chrome Security. Founded Censys. @scwpod.bsky.social
Thinking about Curt Cignetti.
January 23, 2026 at 5:39 PM
Thinking about Curt Cignetti.
I cannot get over how impressive it is what Curt Cignetti accomplished at Indiana
January 21, 2026 at 5:38 AM
I cannot get over how impressive it is what Curt Cignetti accomplished at Indiana
Indiana shall light this holy ring, release its cleansing flame, and burn a path into the divine beyond!
repent! for the day of sixteen windiana shall be upon us!
January 20, 2026 at 1:02 AM
Indiana shall light this holy ring, release its cleansing flame, and burn a path into the divine beyond!
Reposted by David Adrian
This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
6-day and IP Address Certificates are Generally Available
Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscr...
letsencrypt.org
January 16, 2026 at 4:26 PM
This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
Reposted by David Adrian
repent! for the day of sixteen windiana shall be upon us!
January 10, 2026 at 3:24 AM
repent! for the day of sixteen windiana shall be upon us!
Reposted by David Adrian
Final SCW of 2025! We had Matt Bernhard on to talk about cryptographic voting systems, in the wake of the IACR election. (Everybody I voted for in the new election won! Woo!)
NEW EPISODE!
The IACR lost the keys to decrypt their encrypted election results. We welcome Matt Bernhard who works on secure voting systems to explain which Helios bits are homomorphically additive or not and more:
securitycryptographywhatever.com/2025/12/30/i...
www.youtube.com/watch?v=euw_...
The IACR lost the keys to decrypt their encrypted election results. We welcome Matt Bernhard who works on secure voting systems to explain which Helios bits are homomorphically additive or not and more:
securitycryptographywhatever.com/2025/12/30/i...
www.youtube.com/watch?v=euw_...
The IACR Can
The International Association of Cryptologic Research (IACR) held their regular election using secure voting software called Helios…and lost the keys to decr...
securitycryptographywhatever.com
December 31, 2025 at 5:10 AM
Final SCW of 2025! We had Matt Bernhard on to talk about cryptographic voting systems, in the wake of the IACR election. (Everybody I voted for in the new election won! Woo!)
Reposted by David Adrian
What a fantastic present to end the year! (swear I woke up like this) @mbernhard.com @durumcrustulum.com @sockpuppet.org @dadrian.io @scwpod.bsky.social
December 31, 2025 at 2:38 PM
What a fantastic present to end the year! (swear I woke up like this) @mbernhard.com @durumcrustulum.com @sockpuppet.org @dadrian.io @scwpod.bsky.social
Reposted by David Adrian
This Bernstein crap drives me up the wall because IT MAKES NO SENSE.
Why would the NSA be picking weak crypto to protect US NatSec?!
They have mathematicians and clusters in China, too!
Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM.
Why would the NSA be picking weak crypto to protect US NatSec?!
They have mathematicians and clusters in China, too!
Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM.
November 24, 2025 at 9:27 PM
This Bernstein crap drives me up the wall because IT MAKES NO SENSE.
Why would the NSA be picking weak crypto to protect US NatSec?!
They have mathematicians and clusters in China, too!
Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM.
Why would the NSA be picking weak crypto to protect US NatSec?!
They have mathematicians and clusters in China, too!
Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM.
Reposted by David Adrian
Wonderful news! The kind of thing a lot of software folks across the world have been working to make possible. So stoked the Chrome folks are pushing us forward
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
HTTPS by default
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...
security.googleblog.com
October 28, 2025 at 7:59 PM
Wonderful news! The kind of thing a lot of software folks across the world have been working to make possible. So stoked the Chrome folks are pushing us forward
Reposted by David Adrian
It's time to make HTTPS the web's default, and reap the full security benefit from years worth of HTTPS adoption!
security.googleblog.com/2025/10/http...
security.googleblog.com/2025/10/http...
HTTPS by default
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...
security.googleblog.com
October 28, 2025 at 5:17 PM
It's time to make HTTPS the web's default, and reap the full security benefit from years worth of HTTPS adoption!
security.googleblog.com/2025/10/http...
security.googleblog.com/2025/10/http...
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
HTTPS by default
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...
security.googleblog.com
October 28, 2025 at 5:27 PM
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
Iowa-Rutgers hitting the over? Trump ruined the B1G West.
September 20, 2025 at 3:12 AM
Iowa-Rutgers hitting the over? Trump ruined the B1G West.
New post! Stop trying to solve revocation, we already have the answer. dadrian.io/blog/posts/r...
Revocation ain't no thang.
Adam Langley wrote about how revocation in the Web PKI doesn’t work over 10 years ago. Since then, the Web PKI has drastically changed for the better, despite not appearing to “solve” revocation. Unfo...
dadrian.io
September 11, 2025 at 12:16 AM
New post! Stop trying to solve revocation, we already have the answer. dadrian.io/blog/posts/r...
Kirk Herbstreit is going to be the first person to make a Golden Retriever unlikable.
September 6, 2025 at 3:39 PM
Kirk Herbstreit is going to be the first person to make a Golden Retriever unlikable.
Reposted by David Adrian
The bigger issue? Microsoft’s root program still trusts this CA, leaving Edge and Windows users exposed in ways Chrome, Firefox, and Safari users aren’t.
The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance.
👇
The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance.
👇
Another Sleeping Giant: Microsoft’s Root Program and the 1.1.1.1 Certificate Slip | UNMITIGATED RISK
unmitigatedrisk.com
September 3, 2025 at 10:23 PM
The bigger issue? Microsoft’s root program still trusts this CA, leaving Edge and Windows users exposed in ways Chrome, Firefox, and Safari users aren’t.
The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance.
👇
The pattern is familiar: long-lived trust, weak oversight, systemic risk. It’s time for Microsoft to step up and fund proper root governance.
👇
If you look closely, you can see UNC’s quarterback is not Tom Brady
September 2, 2025 at 1:56 AM
If you look closely, you can see UNC’s quarterback is not Tom Brady
Reposted by David Adrian
This game has me feeling like I'm watching Iowa play Iowa.
August 30, 2025 at 4:49 PM
This game has me feeling like I'm watching Iowa play Iowa.
Sent this to a girl in California and pretty sure she thinks it’s in another language
August 29, 2025 at 1:08 AM
Sent this to a girl in California and pretty sure she thinks it’s in another language
Come for the PGP dunks, stay for the broader discussion of why encrypted email doesn’t make sense
NEW EPISODE!
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
Stop Using Encrypted Email with William Woodruff
YouTube video by Security Cryptography Whatever
www.youtube.com
August 23, 2025 at 3:08 AM
Come for the PGP dunks, stay for the broader discussion of why encrypted email doesn’t make sense
Reposted by David Adrian
The first part of this interview with my ex-colleague Alex is a great listen if you're a software engineer (or otherwise technical) and are interested in what we were working on as technologists at the Federal Trade Commission.
NEW EPISODE!
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
Alex Gaynor
YouTube video by Security Cryptography Whatever
youtu.be
August 17, 2025 at 4:03 PM
The first part of this interview with my ex-colleague Alex is a great listen if you're a software engineer (or otherwise technical) and are interested in what we were working on as technologists at the Federal Trade Commission.
Reposted by David Adrian
NEW EPISODE!
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
Stop Using Encrypted Email with William Woodruff
YouTube video by Security Cryptography Whatever
www.youtube.com
August 23, 2025 at 3:01 AM
NEW EPISODE!
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:
securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...
Reposted by David Adrian
NEW EPISODE!
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
Alex Gaynor
YouTube video by Security Cryptography Whatever
youtu.be
August 16, 2025 at 10:29 PM
NEW EPISODE!
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!
youtu.be/gBoGvyvsSi4
And then there’s David.
There are PMs who are useless. And then there are PMs:
August 13, 2025 at 12:40 AM
And then there’s David.