Maintainers of Last Resort
Geomys sometimes acts as a maintainer of last resort for critical Go projects. Recently, we took over the bluemonday HTML sanitizer, and built upgrade paths for the gorilla/csrf library.| words.filippo.io
Geomys sometimes acts as a maintainer of last resort for critical Go projects. Recently, we took over the bluemonday HTML sanitizer, and built upgrade paths for the gorilla/csrf library.| words.filippo.io
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.| words.filippo.io
Test coverage of delicate Go cryptographic assembly through a new mutation testing framework.| words.filippo.io
Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.| words.filippo.io
We look into a neat trick that allowed replacing the last bit of unreadable edwards25519 code, and learn about the structure and lineage of ECC implementations.| words.filippo.io
Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.| words.filippo.io
RSA key generation is conceptually simple, but extremely tricky. Even benchmarking involves math: we generated a stable but representative “average case” instead of using the ordinary statistical approach.| Filippo Valsorda
My NAS is just one big initramfs containing a whole Alpine Linux system. It’s delightful. Here's why and how.| Filippo Valsorda
Accumulated test vectors make it possible to run large sets of random known-answer tests without checking in large assets.| Filippo Valsorda
The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice it’s approved for almost any purpose.| Filippo Valsorda
ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.| Filippo Valsorda
The age plugin system allows integrating third-party recipient types at the CLI level. A new framework makes it easy to implement plugins.| words.filippo.io
A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.| words.filippo.io
7 Jul 2025| words.filippo.io
Maybe you, yes you, should run a Certificate Transparency log. It’s cheaper, easier, and more important than ever.| words.filippo.io
ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.| Filippo Valsorda
XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.| Filippo Valsorda
A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.| Filippo Valsorda
Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption.| Filippo Valsorda
filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability.| Filippo Valsorda
After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already| Filippo Valsorda
How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little!| Filippo Valsorda
Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons!| Filippo Valsorda
Announcing a $12,288 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard.| Filippo Valsorda
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesn’t exist.| Filippo Valsorda
A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration.| Filippo Valsorda
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities.| Filippo Valsorda
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance.| Filippo Valsorda
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested.| Filippo Valsorda
It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works.| Filippo Valsorda
A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends!| Filippo Valsorda
age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing.| Filippo Valsorda
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data.| Filippo Valsorda
We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place.| Filippo Valsorda
Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers.| Filippo Valsorda
Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships.| Filippo Valsorda
