There is a huge amount of code in NSS between those highest-level layers and lowest-level layers. That middle layer will never be proven correct and it’s survived lots of static analysis and fuzzing. It is totally uninteresting. But that’s where the bugs are likely to be found.

RiSE just announced a new position to work on proof-oriented programming, in F* and related technologies. Come work with us! careers.microsoft.com/us/en/job/1220…

We can do a lot for DNS security by protecting the link between the endpoint and the recursive resolver, a point Thomas H. Ptacek has been making for years. Whether it's DoH, DoT, or DoQ doesn't really matter that much. educatedguesswork.org/posts/dns-secu…

Hey, CNN: Support HTTPS for all URLs please.

CHERI provides fine-grained spatial memory safety at a hardware level. msrc-blog.microsoft.com/2022/01/20/an_… #cybersecurity #ConfidentialComputing

The Security Standardisation Research Conference (SSR) will take place on June 6 in Genoa and is co-located with IEEE EuroS&P IEEE European Symposium on Security and Privacy. The submission deadline (firm) will be March 4 and all details can be found at ssr2022.com.

JavaScript…

Yet another evidence that cryptography needs to pass the test of time. 📜 eprint.iacr.org/2022/111.pdf

The F* book is beginning to look more like a book! Lots more to go, but funny how seeing it in a different format really makes it more a book in my head. fstar-lang.org/tutorial/proof… restructuredText is pretty nice for targeting both html and latex. #fstarlang

My student @Kachoc_ and I are thrilled to announce Aeneas, a new verification toolchain for Rust programs. It's on arxiv arxiv.org/abs/2206.07185 and conditionally accepted at ICFP 2022... 🧵

#ePrint TreeSync: Authenticated Group Management for Messaging Layer Security: T Wallez, J Protzenko, B Beurdouche, K Bhargavan ia.cr/2022/1732

MLS is a new secure group messaging protocol, soon coming up in a standard. datatracker.ietf.org/doc/draft-ietf… It aims to have strong confidentiality properties, with fancy names like "forward-secrecy" or "post-compromise security"! How do we prove them?

This was an amazing process to see. RFC 9420 is a huge achievement. raphaelrobert Benjamin Beurdouche Jon Millican Emad Omara @ 🏡 Katriel Richard Barnes and other contributors like Joël Alwen Brendan McMillion and others really pulled together to make something great.

I am super excited to see Apple engaging in this work—it is outstanding. However, I have been secretly hoping that both Apple and Google would adopt MLS (Messaging Layer Security) as part of their plan to both support RCS (Rich Communication Services). While the evolution of the

The program for RWC 2024 is live! rwc.iacr.org/2024/program.p…

6100 atoms! Feels like quantum computers with thousands of qubits are just around the corner arxiv.org/abs/2403.12021

This month's Advancing #WebRTC from #Mozilla dives into the new standard video processing APIs MediaStreamTrackProcessor and VideoTrackGenerator. We cover differences across browsers, and how to polyfill the gap in all browsers, including #Firefox! blog.mozilla.org/webrtc/unbundl…

Le chiffrement de bout en bout des communications ne saurait être fragilisé pour permettre des accès par des tiers, fûssent-ils les services de rens. C'est tout un pan de la confiance dans les messageries qui s'en trouverait questionné.

Formal verification has never been more important now that LLMs take a central place in code generation. The psychological effect of assuming capability and best intention from a human does *not* translate to the setting where a robot writes the code.