Todd H. Gardner
@toddhgardner.com
Pinned
Todd H. Gardner
@toddhgardner.com
· Nov 16
I couldn’t find one, so I made an #MNTech Starter Pack.
I probably missed people, lmk.
go.bsky.app/GuXLfRs
I probably missed people, lmk.
go.bsky.app/GuXLfRs
Reposted by Todd H. Gardner
"Free certificates? For production?" Yes. Let's Encrypt uses the same encryption as that $500 EV cert. Chrome killed the green bar in 2018. Amazon, Netflix, and Walmart all use DV certs. Your objections are probably institutional habit, not evidence
www.certkit.io/blog/should-...
#PKI #WebSecurity
www.certkit.io/blog/should-...
#PKI #WebSecurity
Should you still pay for SSL certificates?
IT teams keep buying certificates from DigiCert and Sectigo because free feels risky. But the assumptions behind that trust are a decade old. Let's Encrypt now secures 64% of the web, is funded by Goo...
www.certkit.io
January 12, 2026 at 10:11 PM
"Free certificates? For production?" Yes. Let's Encrypt uses the same encryption as that $500 EV cert. Chrome killed the green bar in 2018. Amazon, Netflix, and Walmart all use DV certs. Your objections are probably institutional habit, not evidence
www.certkit.io/blog/should-...
#PKI #WebSecurity
www.certkit.io/blog/should-...
#PKI #WebSecurity
@bsky.app I am being “followed” by new 30 bots a day. I am more convinced everyday that this network is dead.
What are you doing about it?
What are you doing about it?
January 8, 2026 at 2:52 PM
@bsky.app I am being “followed” by new 30 bots a day. I am more convinced everyday that this network is dead.
What are you doing about it?
What are you doing about it?
Reposted by Todd H. Gardner
"Right side of assignment cannot be destructured" is Safari's way of saying you tried to destructure null or undefined. Chrome tells you which property failed. Safari makes you guess.
trackjs.com/javascript-errors/right-side-of-assignment-cannot-be-destructured/
#javascript #webdev
trackjs.com/javascript-errors/right-side-of-assignment-cannot-be-destructured/
#javascript #webdev
How to fix `Right side of assignment cannot be destructured`
Safari's error message when destructuring null or undefined values. Common with API responses, missing function arguments, or async data not yet loaded. Quick fixes: add fallback objects, use optional...
trackjs.com
January 7, 2026 at 4:00 PM
"Right side of assignment cannot be destructured" is Safari's way of saying you tried to destructure null or undefined. Chrome tells you which property failed. Safari makes you guess.
trackjs.com/javascript-errors/right-side-of-assignment-cannot-be-destructured/
#javascript #webdev
trackjs.com/javascript-errors/right-side-of-assignment-cannot-be-destructured/
#javascript #webdev
Reposted by Todd H. Gardner
Missing the viewport meta tag? Your mobile users are waiting an extra 300ms on every single tap. Browsers add that delay to check for double-tap zooming. One line of HTML fixes it.
requestmetrics.com/blog/lightho...
#WebPerf #SEO
requestmetrics.com/blog/lightho...
#WebPerf #SEO
Understanding Lighthouse: Has a Viewport Meta Tag
What does "Has a meta name viewport tag with width or initial-scale" mean in Lighthouse? This audit checks if your page is mobile-ready. Missing it...
requestmetrics.com
January 6, 2026 at 1:50 PM
Missing the viewport meta tag? Your mobile users are waiting an extra 300ms on every single tap. Browsers add that delay to check for double-tap zooming. One line of HTML fixes it.
requestmetrics.com/blog/lightho...
#WebPerf #SEO
requestmetrics.com/blog/lightho...
#WebPerf #SEO
Reposted by Todd H. Gardner
DNS-01 validation requires changing TXT records on every certificate renewal. With 47-day lifetimes coming, that's going to hurt. DNS-PERSIST-01 fixes it: validate once, get certs forever.
www.certkit.io/blog/dns-per...
#ACME #PKI
www.certkit.io/blog/dns-per...
#ACME #PKI
DNS-PERSIST-01 validates a domain once to get certificates forever
A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questi...
www.certkit.io
January 5, 2026 at 4:23 PM
DNS-01 validation requires changing TXT records on every certificate renewal. With 47-day lifetimes coming, that's going to hurt. DNS-PERSIST-01 fixes it: validate once, get certs forever.
www.certkit.io/blog/dns-per...
#ACME #PKI
www.certkit.io/blog/dns-per...
#ACME #PKI
Reposted by Todd H. Gardner
Seeing a sudden spike of 404 errors for ads.txt, security.txt, and /.well-known/ files? It's probably @httparchive.org Almanac scanning with WebPageTest
Not a bug, just bot noise.
trackjs.com/javascript-e...
#javascript #webdev
Not a bug, just bot noise.
trackjs.com/javascript-e...
#javascript #webdev
How to fix 404 Errors from WebPageTest.org Bot
404 errors from WebPageTest.org bot checking for well-known configuration files like ads.txt, security.txt, and sellers.json. Appears in JavaScript error monitoring because WebPageTest uses real Chrom...
trackjs.com
December 23, 2025 at 5:42 PM
Seeing a sudden spike of 404 errors for ads.txt, security.txt, and /.well-known/ files? It's probably @httparchive.org Almanac scanning with WebPageTest
Not a bug, just bot noise.
trackjs.com/javascript-e...
#javascript #webdev
Not a bug, just bot noise.
trackjs.com/javascript-e...
#javascript #webdev
Reposted by Todd H. Gardner
Most web servers ignore URL casing. But Node and Python don't.
If /User/Profile and /user/profile are different routes in your app, our new "Preserve Casing" setting keeps them separate in your reports.
requestmetrics.com/blog/product...
#WebPerf #WebDev
If /User/Profile and /user/profile are different routes in your app, our new "Preserve Casing" setting keeps them separate in your reports.
requestmetrics.com/blog/product...
#WebPerf #WebDev
New Option: Preserve URL Casing
Request Metrics normalizes URLs to lowercase by default. But some frameworkstreat casing as meaningful. Now you can preserve the original casing with anew se...
requestmetrics.com
December 22, 2025 at 7:01 PM
Most web servers ignore URL casing. But Node and Python don't.
If /User/Profile and /user/profile are different routes in your app, our new "Preserve Casing" setting keeps them separate in your reports.
requestmetrics.com/blog/product...
#WebPerf #WebDev
If /User/Profile and /user/profile are different routes in your app, our new "Preserve Casing" setting keeps them separate in your reports.
requestmetrics.com/blog/product...
#WebPerf #WebDev
Reposted by Todd H. Gardner
Do you still need wildcard certificates?
Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.
www.certkit.io/blog/do-you-...
#PKI #WebSecurity
Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.
www.certkit.io/blog/do-you-...
#PKI #WebSecurity
Do you still need wildcard certificates?
You've been using wildcard certificates for years because they were simpler. One cert, one renewal, copy it everywhere. But now you're automating anyway. If certificate management is no longer painful...
www.certkit.io
December 22, 2025 at 3:55 PM
Do you still need wildcard certificates?
Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.
www.certkit.io/blog/do-you-...
#PKI #WebSecurity
Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.
www.certkit.io/blog/do-you-...
#PKI #WebSecurity
I'm working on a new idea for a conference talk,
Everything you learned about SSL is deprecated.
I'd love some feedback on it!
gist.github.com/toddhgardner...
Everything you learned about SSL is deprecated.
I'd love some feedback on it!
gist.github.com/toddhgardner...
Abstract for a new talk on WebPKI in 2026
Abstract for a new talk on WebPKI in 2026. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
December 19, 2025 at 7:26 PM
I'm working on a new idea for a conference talk,
Everything you learned about SSL is deprecated.
I'd love some feedback on it!
gist.github.com/toddhgardner...
Everything you learned about SSL is deprecated.
I'd love some feedback on it!
gist.github.com/toddhgardner...
Reposted by Todd H. Gardner
CertKit now supports multi-domain certificates. Mix wildcards with specific hostnames on a single cert. Also shipped: actual ACME error messages instead of "something went wrong" and non-sequential IDs to stop enumeration attacks.
www.certkit.io/blog/certkit...
#SSL #PKI
www.certkit.io/blog/certkit...
#SSL #PKI
Multi-domain (multi-san) certificates and better error messages
CertKit now supports multi-SAN certificates, letting you cover multiple domains with a single cert. We also improved the certificate creation flow and made error messages actually useful.
www.certkit.io
December 18, 2025 at 3:44 PM
CertKit now supports multi-domain certificates. Mix wildcards with specific hostnames on a single cert. Also shipped: actual ACME error messages instead of "something went wrong" and non-sequential IDs to stop enumeration attacks.
www.certkit.io/blog/certkit...
#SSL #PKI
www.certkit.io/blog/certkit...
#SSL #PKI
Reposted by Todd H. Gardner
In 2015, only 40% of websites used HTTPS. Today it's 95%. The ACME protocol made that happen by automating certificate issuance. But it didn't solve certificate operations. That's still your problem.
www.certkit.io/blog/how-acm...
#ACME #PKI
www.certkit.io/blog/how-acm...
#ACME #PKI
How the ACME protocol automates certificate issuance
HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getti...
www.certkit.io
December 15, 2025 at 4:54 PM
In 2015, only 40% of websites used HTTPS. Today it's 95%. The ACME protocol made that happen by automating certificate issuance. But it didn't solve certificate operations. That's still your problem.
www.certkit.io/blog/how-acm...
#ACME #PKI
www.certkit.io/blog/how-acm...
#ACME #PKI
Reposted by Todd H. Gardner
The worst JavaScript errors are the ones you can't see.
"Invalid or unexpected token" usually means invisible characters snuck into your code. Smart quotes from Slack, zero-width spaces, BOM markers.
trackjs.com/javascript-e...
#javascript #webdev
"Invalid or unexpected token" usually means invisible characters snuck into your code. Smart quotes from Slack, zero-width spaces, BOM markers.
trackjs.com/javascript-e...
#javascript #webdev
How to fix `Invalid or unexpected token`
JavaScript parser error when it encounters unrecognizable characters. Usually caused by invisible Unicode characters, smart quotes from copy-paste, or BOM markers. Different from "Unexpected token X" ...
trackjs.com
December 11, 2025 at 3:54 PM
The worst JavaScript errors are the ones you can't see.
"Invalid or unexpected token" usually means invisible characters snuck into your code. Smart quotes from Slack, zero-width spaces, BOM markers.
trackjs.com/javascript-e...
#javascript #webdev
"Invalid or unexpected token" usually means invisible characters snuck into your code. Smart quotes from Slack, zero-width spaces, BOM markers.
trackjs.com/javascript-e...
#javascript #webdev
Reposted by Todd H. Gardner
Reposted by Todd H. Gardner
The NSA recorded encrypted traffic for years, betting they'd eventually steal your private keys.
With RSA key exchange, that worked.
PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.
www.certkit.io/blog/perfect...
#TLS #PKI
With RSA key exchange, that worked.
PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.
www.certkit.io/blog/perfect...
#TLS #PKI
Perfect Forward Secrecy Made Your Private Keys Boring
We used to treat private keys like plutonium because losing one meant every encrypted conversation ever was compromised. Perfect Forward Secrecy fixed that. Now each connection gets temporary keys tha...
www.certkit.io
December 8, 2025 at 3:38 PM
The NSA recorded encrypted traffic for years, betting they'd eventually steal your private keys.
With RSA key exchange, that worked.
PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.
www.certkit.io/blog/perfect...
#TLS #PKI
With RSA key exchange, that worked.
PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.
www.certkit.io/blog/perfect...
#TLS #PKI
Reposted by Todd H. Gardner
Safari's "string did not match the expected pattern" is infuriating. One vague message for five different problems. CSS selectors, JSON parsing, DOM values, all the same unhelpful text.
trackjs.com/javascript-e...
#JavaScript #Safari
trackjs.com/javascript-e...
#JavaScript #Safari
How to fix "The string did not match the expected pattern."
Safari's generic error when DOM APIs receive invalid string arguments. Triggers include invalid CSS selectors, JSON parsing failures, contentEditable with bad values, and Performance.measure() issues....
trackjs.com
December 4, 2025 at 7:23 PM
Safari's "string did not match the expected pattern" is infuriating. One vague message for five different problems. CSS selectors, JSON parsing, DOM values, all the same unhelpful text.
trackjs.com/javascript-e...
#JavaScript #Safari
trackjs.com/javascript-e...
#JavaScript #Safari
Just installed @trackjs.com on @certkit.io. Within 2 days I had tons of errors flooding in. None were my fault. All garbage from browser extensions and bots. That's the dirty secret of error monitoring nobody talks about.
www.toddhgardner.com/blog/install...
#javascript
www.toddhgardner.com/blog/install...
#javascript
Installing TrackJS on CertKit
Learn how I set up TrackJS for production JavaScript error monitoring on CertKit, configure ignore rules to filter out third-party noise, and create actionable error alerts that actually matter.
www.toddhgardner.com
November 24, 2025 at 5:54 PM
Just installed @trackjs.com on @certkit.io. Within 2 days I had tons of errors flooding in. None were my fault. All garbage from browser extensions and bots. That's the dirty secret of error monitoring nobody talks about.
www.toddhgardner.com/blog/install...
#javascript
www.toddhgardner.com/blog/install...
#javascript
Cloudflare down. GitHub down. AWS down. All in one week. Your business runs on abstractions you don't understand. When they fail, you're helpless.
Build what makes you unique. Buy what makes you run. But FFS understand how it works.
www.toddhgardner.com/blog/build-v...
Build what makes you unique. Buy what makes you run. But FFS understand how it works.
www.toddhgardner.com/blog/build-v...
Build vs Buy: What This Week's Outages Should Teach You
The simple rule everyone gets wrong: build what makes you unique, buy what makes you run. But whatever you do, make sure you understand it well enough to fix it when it breaks. Because it will break.
www.toddhgardner.com
November 19, 2025 at 4:54 PM
Cloudflare down. GitHub down. AWS down. All in one week. Your business runs on abstractions you don't understand. When they fail, you're helpless.
Build what makes you unique. Buy what makes you run. But FFS understand how it works.
www.toddhgardner.com/blog/build-v...
Build what makes you unique. Buy what makes you run. But FFS understand how it works.
www.toddhgardner.com/blog/build-v...
Reposted by Todd H. Gardner
Certificate Transparency logs contain billions of certificates but searching them is painful. crt.sh is slow and often down. So we built our own free CT search tool that actually works.
Part 1 of our series: www.certkit.io/blog/searchi...
#CertificateTransparency #PKI
Part 1 of our series: www.certkit.io/blog/searchi...
#CertificateTransparency #PKI
crt.sh | Certificate Search
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh
November 17, 2025 at 8:43 PM
Certificate Transparency logs contain billions of certificates but searching them is painful. crt.sh is slow and often down. So we built our own free CT search tool that actually works.
Part 1 of our series: www.certkit.io/blog/searchi...
#CertificateTransparency #PKI
Part 1 of our series: www.certkit.io/blog/searchi...
#CertificateTransparency #PKI
The heavens opened and tried to swallow my house tonight.
November 12, 2025 at 3:16 AM
The heavens opened and tried to swallow my house tonight.
Reposted by Todd H. Gardner
"Revoke Certificate" - It's theater.
Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.
www.certkit.io/blog/certifi...
#PKI #CertificateManagement
Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.
www.certkit.io/blog/certifi...
#PKI #CertificateManagement
Certificate revocation is broken but we pretend it works
SSL Certificate revocation is so broken that browser vendors gave up trying to fix it. Chrome manually curates 24,000 'important' revocations out of 2 million. Firefox uses bloom filters that flag val...
www.certkit.io
November 11, 2025 at 7:49 PM
"Revoke Certificate" - It's theater.
Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.
www.certkit.io/blog/certifi...
#PKI #CertificateManagement
Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.
www.certkit.io/blog/certifi...
#PKI #CertificateManagement
My weekend upgrade: added a UPS since we keep losing power here.
Unknown if my fiber connection stays online if we lose power.
Unknown if my fiber connection stays online if we lose power.
November 10, 2025 at 7:23 PM
My weekend upgrade: added a UPS since we keep losing power here.
Unknown if my fiber connection stays online if we lose power.
Unknown if my fiber connection stays online if we lose power.
Reposted by Todd H. Gardner
MetaMask throwing connection errors in your logs? You're not alone. These extension errors pollute your monitoring with noise that isn't even your fault. We show you how to filter them out automatically.
Read more: trackjs.com/javascript-e...
#JavaScript #WebDev
Read more: trackjs.com/javascript-e...
#JavaScript #WebDev
How to fix `Failed to connect to MetaMask`
Browser extension error from visitors using MetaMask cryptocurrency wallet. Extension attempts to inject Web3 functionality into all pages, causing errors unrelated to your site. Safe to ignore via er...
trackjs.com
November 6, 2025 at 4:43 PM
MetaMask throwing connection errors in your logs? You're not alone. These extension errors pollute your monitoring with noise that isn't even your fault. We show you how to filter them out automatically.
Read more: trackjs.com/javascript-e...
#JavaScript #WebDev
Read more: trackjs.com/javascript-e...
#JavaScript #WebDev
A few weeks ago I did a Press Release for CertKit.
It didn't really work out.
Here's why.
www.toddhgardner.com/blog/press-r...
#seo #pr #startups
It didn't really work out.
Here's why.
www.toddhgardner.com/blog/press-r...
#seo #pr #startups
I tried doing a Press Releases for SEO. It didn't work.
An honest look at using press releases for link building and SEO in 2025. Spoiler: save your money.
www.toddhgardner.com
November 5, 2025 at 2:47 AM
A few weeks ago I did a Press Release for CertKit.
It didn't really work out.
Here's why.
www.toddhgardner.com/blog/press-r...
#seo #pr #startups
It didn't really work out.
Here's why.
www.toddhgardner.com/blog/press-r...
#seo #pr #startups
Reposted by Todd H. Gardner
JavaScript top-level await is no longer considered 'baseline' due to a pretty big Safari bug caniuse.com/mdn-javascri...
The module graph fails in cases where two modules import a third at the same time. Demo: random-stuff.jakearchibald.com/bug-repros/t...
It's best to avoid the feature for now 😔
The module graph fails in cases where two modules import a third at the same time. Demo: random-stuff.jakearchibald.com/bug-repros/t...
It's best to avoid the feature for now 😔
JavaScript operator: await: Use at module top level | Can I use... Support tables for HTML5, CSS3, etc
caniuse.com
October 26, 2025 at 8:17 PM
JavaScript top-level await is no longer considered 'baseline' due to a pretty big Safari bug caniuse.com/mdn-javascri...
The module graph fails in cases where two modules import a third at the same time. Demo: random-stuff.jakearchibald.com/bug-repros/t...
It's best to avoid the feature for now 😔
The module graph fails in cases where two modules import a third at the same time. Demo: random-stuff.jakearchibald.com/bug-repros/t...
It's best to avoid the feature for now 😔
Reposted by Todd H. Gardner
Stripe bought their domain in 2010. The previous owner's SSL certificate was valid until 2011.
For an entire year, someone else had a perfectly legitimate certificate for their payment processing.
This is why we're getting 47-day certificates.
www.certkit.io/blog/bygones...
For an entire year, someone else had a perfectly legitimate certificate for their payment processing.
This is why we're getting 47-day certificates.
www.certkit.io/blog/bygones...
BygoneSSL and the certificate that wouldn't die
When domains change hands, old certificates don't. Two researchers at DEFCON found 1.5 million domains with valid certs owned by someone else. This is the security research that killed long certificat...
www.certkit.io
October 27, 2025 at 4:39 PM
Stripe bought their domain in 2010. The previous owner's SSL certificate was valid until 2011.
For an entire year, someone else had a perfectly legitimate certificate for their payment processing.
This is why we're getting 47-day certificates.
www.certkit.io/blog/bygones...
For an entire year, someone else had a perfectly legitimate certificate for their payment processing.
This is why we're getting 47-day certificates.
www.certkit.io/blog/bygones...