Feisty Duck News

Dear Ala

With so much information to keep track of in the field of cryptography, security, privacy, SSL/TLS, and PKI, this quarterly update will help you stay ahead. Here are the topics we covered over the last three months and what we're up to these days. We hope this will be a valuable addition to your reading list!

Key Events

• In January, Let’s Encrypt started offering short-lived certificates valid for about 6 days. At the same time, they began offering certificates for IP addresses. Speaking of short-lived certificates, you can actually get a single-day certificate from Google Trust Services More in our January 2026 newsletter.
• At the beginning of March, Encrypted Client Hello (ECH) was standardized as RFC 9849. This addition to TLS 1.3 makes it possible to encrypt the very first message exchanged with a server, which in turn protects sensitive information in the TLS handshake, such as the exact identity of the server (also known as Server Name Indication, or SNI). The companion document, RFC 9848, creates a mechanism to discover ECH configuration and encryption keys via SVCB/HTTPS resource records. For a light introduction to ECH, head to our July 2025 newsletter.
• In March, CA/Browser Forum reduced certificate lifetimes to 200 days. The next reduction, to 100 days, is planned for March 2027. More in our April 2025 newsletter.
• Also in March, DNSSEC checking during certificate issuance became mandatory. This is the first time in history that strong cryptographic validation is possible to achieve for certificate issuance. We covered this change in our June 2025 newsletter.
• In an event that shook the industry, Google decided to accelerate their post-quantum migration, introducing 2029 as their new deadline. They cited new research that improved our understanding of how quantum computers can break the widely deployed cryptography of today.
• Support for post-quantum cryptography is a mixed bag. On the client side, Cloudflare measures it at about 68% at the time of writing. At the backend, it’s much worse—only 9%. Clearly, the servers have a long way to go. And SMTP servers are much worse; Jan Shaumann observed only 0.26% SMTP servers with PQC support.

Cryptography & Security Newsletter

Let’s Encrypt’s Six-Day Certificates Generally Available (#133)

In January 2025, Let’s Encrypt announced plans to offer short-lived certificates, a feature it officially launched this month. For those following the debate over reducing certificate lifetimes to forty-seven days, this update is a major milestone: lifetimes can now be as short as six days. Furthermore, Let’s Encrypt has expanded its services to include issuing certificates for IP addresses for the first time.

Messaging Encryption Has Come a Long Way, but Falls Short (#134)

Messaging security has improved significantly over the last few years. Encryption first stopped passive surveillance, while end-to-end encryption on major platforms finally provided widespread privacy. Leaders like Apple and Signal have even implemented quantum-resistant protections. This progress stands in stark contrast to the poor state of email security; however, structural issues remain, and we risk regressing.

Web PKI Reimagined with Merkle Tree Certificates (#135)

While the world focused on post-quantum migration, Google quietly developed its Web PKI strategy. Starting in early 2023 and joining the IETF PLANTS working group in 2025, Google is now collaborating with Cloudflare to refine the design. With the core technology finalized, 2026 will focus on validation before bootstrapping the next-generation Web PKI in 2027.

25 Years of OWASP and Ivan's Talk

Having presented a talk on the then-brand-new ModSecurity at the very first OWASP London Chapter event in 2002 (how time flies!), Ivan recently spoke at an event celebrating 25 years of OWASP.

Ivan's session, Defending Your Public PKI Estate: A ten-step program to achieve best-in-class security, offers practical insights into modern threats and actionable advice on how to harden your defenses. You can watch the full recording on the OWASP London YouTube channel.