Simon Willison's Weblog: certificates

Private Cloud Compute: A new frontier for AI privacy in the cloud

2024-06-11T15:38:15+00:00

Private Cloud Compute: A new frontier for AI privacy in the cloud

Here are the details about Apple's Private Cloud Compute infrastructure, and they are pretty extraordinary.

The goal with PCC is to allow Apple to run larger AI models that won't fit on a device, but in a way that guarantees that private data passed from the device to the cloud cannot leak in any way - not even to Apple engineers with SSH access who are debugging an outage.

This is an extremely challenging problem, and their proposed solution includes a wide range of new innovations in private computing.

The most impressive part is their approach to technically enforceable guarantees and verifiable transparency. How do you ensure that privacy isn't broken by a future code change? And how can you allow external experts to verify that the software running in your data center is the same software that they have independently audited?

When we launch Private Cloud Compute, we’ll take the extraordinary step of making software images of every production build of PCC publicly available for security research. This promise, too, is an enforceable guarantee: user devices will be willing to send data only to PCC nodes that can cryptographically attest to running publicly listed software.

These code releases will be included in an "append-only and cryptographically tamper-proof transparency log" - similar to certificate transparency logs.

Tags: apple, certificates, ethics, privacy, security, ai, generative-ai, llms, apple-intelligence, ai-ethics

trustme

2021-02-11T20:00:56+00:00

trustme

This looks incredibly useful. Run python -m trustme and it will create three files for you: server.pem, server.key and a client.pem client certificate, providing a certificate for "localhost" (or another host you spefict) using a fake certificate authority. Looks like it should be the easiest way to test TLS locally.

Via Seth Michael Larson

Tags: certificates, tls

The case against client certificates

2020-12-09T14:41:46+00:00

The case against client certificates

Colm MacCárthaigh provides a passionately argued Twitter thread about client certificates and why they should be avoided. I tried using them as an extra layer of protection fir my personal Dogsheep server and ended up abandoning them—certificate management across my devices was too fiddly.

Via Thomas Ptacek

Tags: certificates, dogsheep

How CDNs Generate Certificates

2020-06-26T00:03:45+00:00

How CDNs Generate Certificates

Thomas Ptacek (now at Fly) describes in intricate detail the challenges faced by large-scale hosting providers that want to securely issue LetsEncrypt certificates for customer domains. Lots of detail here on the different ACME challenges supported by LetsEncrypt and why the new tls-alpn-01 challenge is the right option for operating at scale.

Tags: acme, certificates, domains, thomas-ptacek, tls, fly

Client-Side Certificate Authentication with nginx

2019-10-05T17:26:35+00:00

Client-Side Certificate Authentication with nginx

I’m intrigued by client-side browser certificates, which allow you to lock down a website such that only browsers with a specific certificate installed can access them. They work on both laptops and mobile phones. I followed the steps in this tutorial and managed to get an nginx instance running which only allows connections from my personal laptop and iPhone.

Tags: certificates, nginx, security, dogsheep

Extended Validation Certificates are Dead

2018-09-18T13:41:24+00:00

Extended Validation Certificates are Dead

Troy Hunt has been writing about the flaws of Extended Validation certificates for a while. Now iOS 12 is out and Mobile Safari no longer displays their visual indicator in the URL bar (and desktop Safari will stop doing so next week when Mac OS Mojave ships). EV certificates are being dropped by many of the larger companies that were using them. “This turned out to be a long blog post because every time I sat down to write, more and more evidence on the absolute pointlessness of EV presented itself”.

Tags: certificates, security, troy-hunt

The death of a TLD

2018-07-28T20:07:00+00:00

The death of a TLD

Sony have terminated their .xperia TLD. Ben Cox used Certificate Transparency logs to evaluate the 11 total TLDs that have been abandoned since the gTLD gold rush started—since HTTPS is becoming the default now these logs of issued certificates are a great indicator of which domains (or TLDs) are being actively used. The only deleted TLD with legitimate looking certificates (apparently for a mail server) was .mcdonalds

Tags: certificates, dns, domains, tls

mkcert

2018-06-26T18:55:56+00:00

mkcert

Handy new tool from Filippo Valsorda (a cryptographer at Google) for easily generating TLS certificates for your local development environment. You can use this to get a certificate pair for a localhost web server created with a couple of simple commands.

Via @FiloSottile

Tags: certificates, go, https, filippo-valsorda

Extended Validation is Broken

2017-12-12T01:36:29+00:00

Extended Validation is Broken

Ian Carroll spent $100 incorporating a company called “Stripe, Inc” in the state of Kentucky and $77 on an Extended Validation certificate tied to that legal entity. Safari (and Mobile Safari) now hide the URL bar completely, displaying “Stripe, Inc” in its place. “This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.”

Tags: certificates, phishing, security

prooveme.com

2007-02-22T12:01:58+00:00

prooveme.com

An OpenID provider that uses SSL client certificates (which you install in your browser) for authentication.

Tags: certificates, openid, prooveme, ssl