Introducing Web Numbers
Domains? Where we’re going, we don’t need domains!
Get ready for an exciting new (old?) way to address (small) web sites in 2026.
https://ar.al/2025/06/25/web-numbers/
(Thanks to @letsencrypt.)

Introducing Web Numbers
Domains? Where we’re going, we don’t need domains!
Get ready for an exciting new (old?) way to address (small) web sites in 2026.
https://ar.al/2025/06/25/web-numbers/
(Thanks to @letsencrypt.)
I'm seeing something strange with HTTPS requests from docker containers after docker upgrade to latest (28.2.2).
Docker compose, app containers and a nginx proxying for them all. One container trying to reach another via nginx external hostname.
Both NodeJS and curl fail to make the request with:
TLS connect error: error:00000000:lib(0)::reason(0)
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxxx.xxxx.com:443
Same request outside container works just fine.
CyMaIS: 100 % DSGVO-konform
Die Datenschutz-Grundverordnung (DSGVO) schreibt strenge Vorgaben vor, wenn es um den Umgang mit personenbezogenen Daten geht. Wer seine Unternehmensdaten und die persönlichen Informationen von Mitarbeitenden oder Kund:innen schützen möchte, braucht mehr als nur eine Standard-Cloud. CyMaIS erfüllt nicht nur sämtliche DSGVO-Anforderungen, sondern geht mit ausgefeilten Sicherheitskonzepten und flexibler Infrastruktur noch einen Schritt weiter.
[…]
https://blog.cymais.cloud/blog/2025/06/19/cymais-100-dsgvo-konform/
At Akamai, we're launching a blog post series on various topics relating to post-quantum cryptography. The first post is by @rsalz, discussing some related IETF initiatives, including the two #TLS drafts he co-authored:
https://www.akamai.com/blog/trends/building-quantum-safe-internet-ietf-plan-tls
Hello, I’m hosting a #Vaultwarden server behind #Caddy 2.10 and made the following test:
Tuning Caddy to allow only #PQC curves:
tls {
curves x25519mlkem768
}
Trying to connect with #Firefox Mac -> OK
Trying to connect with #Bitwarden #android client -> Fail
Without the #TLS tuning, the Bitwarden Android client will happily connect to the server.
Is it a problem with the Bitwarden Android client or with Android, or both?
Why SSL was renamed to TLS in late 90s (2014)
https://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html
You know you think DNS over TLS or DNS over HTTPS is great and you no longer send the domains you visit over cleartext on the internet...
Wrong, prior to TLS 1.3 your browser would request the domain in cleartext as part of the TLS negotiation in a process called Server Name Indication (SNI).
Only with TLS 1.3 did we finally get a Encrypted Client Hello (ECH).
A recent research has exposed more than 40 * 10³ IoT cameras happily showing their feed _and_ location to anyone who can browse and use search engines specialized in the indexing of the misconfigured devices.
More than 14 * 10³ are localised in the USA.
Read more here.
Note:
I know that there are more than a million of these cameras world wide misconfigured an open on just port 80 http not even TLS 443, with admin / admin as credentials
https://www.theregister.com/2025/06/10/40000_iot_cameras_exposed/
I have a feeling that many people misunderstood the new #TLS Certificate requirements for browsers/public CAs… No, a public CA trusted by browsers doesn’t need to issue certificates with the Client Authentication EKU. Why would you trust a client that presents a certificate which was issued for server use anyway? #cryptography
Nutzt du Client Authentication mit TLS-Zertifikaten?
Hi @mirabilos @jwildeboer,
the most concerning part about #TLS is IMO the #FUD about self-signed certs. So the whole ecosystem acts hostile against indies and turns into an oligopol at best. https://blog.mro.name/2022/11/tls-may-not-be-what-you-think-it-is/
More interesting progress trying to make #swad suitable for very busy sites!
I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed.
So I read some scientific papers ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen.
Maybe it could do even more, didn't try yet.
Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...
(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: https://dl.acm.org/doi/10.1145/248052.248106
1/3
This afternoon I enjoyed browsing through the printed edition of a recent TLS. One is so much more likely to happen upon the unexpected, and I was not disappointed today.
For example, Notre Dame historian Felipe Fernández-Armesto takes the Yale Latin Americanist Greg Grandin to task in an uncompromising review of "America, América: A New History of the New World":
>>I opened the book expecting instruction and entertainment. I closed it in despair. How can such a shoddy piece, so self-indulgent, so partisan, so ignorant, so poorly written and so carelessly checked, appear over the name of a well-qualified professor and the imprint of a respected publisher? <<
Fernández-Armesto is particularly critical of what he sees as Grandin's recycling of the "black legend" of Spanish colonialism. He concludes his review
>>To "American identity of the future", wrote Walt Whitman in 1883, "Spanish character will supply some of the most needed parts . It is time to realize --for it is certainly true--that there will not be found any more cruelty, tyranny, superstition, etc., in the resume of past Spanish history than in the corresponding resume of Anglo-Norman history". Some people have not realized it yet.<<
https://link.gale.com/apps/doc/A839229765/AONE?u=txshrpub100020&sid=bookmark-AONE&xid=99da47a6
Es gab doch mal diesen Vorstoß, daß Browser- unf Betriebssystemhersteller in der EU verpflichtet werden sollen, EU-CAs für #x509 als vetrauenswürdig aufzunehmen - was ja auch jeglicher #Chatkontrolle stark in die Hände spielte...
Gibt es dazu Neuerungen? Und wie hießen die nochmal? qwacs oder so?
Solved!
This was a pretty "interesting" bug. Remember when I invented a way to implement #async / #await in #C, for jobs running on a threadpool. Back then I said it only works when completion of the task resumes execution on the *same* pool thread.
Trying to improve overall performance, I found the complex logic to identify the thread job to put on a pool thread a real deal-breaker. Just having one single MPMC queue with a single semaphore for all pool threads to wait on is a lot more efficient. But then, a job continued after an awaited task will resume on a "random" thread.
It theoretically works by making sure to restore the CORRECT context (the original one of the pool thread) every time after executing a job, whether partially (up to the next await) or completely.
Only it didn't, at least here on #FreeBSD, and I finally understood the reason for this was that I was using #TLS (thread-local storage) to find the context to restore.
Well, most architectures store a pointer to the current thread metadata in a register. #POSIX user #context #switching saves and restores registers. I found a source claiming that the #Linux (#glibc) implementation explicitly does NOT include the register holding a thread pointer. Obviously, #FreeBSD's implementation DOES include it. POSIX doesn't have to say anything about that.
In short, avoiding TLS accesses when running with a custom context solved the crash.
How does 0-RTT work in #iroh (and #QUIC, and a little bit of #TLS), a fun exploration: https://www.iroh.computer/blog/0rtt-api
What's even better is that @Frando already landed a PR in #rustls to improve the UX of this (https://github.com/rustls/rustls/pull/2476). Should also land in #Quinn and #iroh soon!
Come on SAP, it's 2025 - expired certificates in production should be a thing of the past! Let's not break trust with something so basic. #DevOps #TLS #SAP #Fieldglass
After having decided the #TLS certificate, I’m much more sure that ASN.1 is simply encoding / serializing pieces of information.
Similarly, DER, BER, etc specify what is encoded in what order and using what ASN.1 types for things.
Said another way, ASN.1 is how to do something and DER is what to do it to.
Sort of a policies vs procedure type thing.
I managed to finish decoding the ASN.1 of my servers #TLS certificate this evening.
I did have a few identifiers that stumped me. But I continued decoding as if they used the same type / length / value format as most other identifiers and they worked.
After the fact I found some documentation confirming that I decided the identifiers correctly.
Now I need to decode all of the OIDs and make sure that I have them correct and that I have them in my .oid #DNS zone.
#commonLisp #emacs #smallweb #kitten https://screwlisp.small-web.org/kitten/clkitten-parenscript-kitten-2/ #webdev
Eev (and lisp secret alien technology) made it /really/ easy and convenient to generate a kitten matching @aral's Tutorial 2: dynamic pages, https://kitten.small-web.org/tutorials/dynamic-pages/ serve it and visit it inside emacs (just press F8 over and over again and it happens on its own).
I guess you can do it too...? What do you think? How much of a Hurkle itch is this giving you Aral ;p. It seems /really/ easy to get a fancy! #tls site up like this.