"Harvest now, decrypt later": attackers record your encrypted traffic today to crack it once quantum computers arrive. Post-quantum TLS starts now, often as a config change. Enable hybrid key exchange (X25519 + ML-KEM): https://t.co/h8FbuPiPm9
Post-quantum TLS isn't a 2035 problem. Hybrid key exchange, X25519 plus ML-KEM, is already negotiated by default in a lot of browsers and servers. The driver is harvest-now-decrypt-later: capture the traffic today, decrypt it whenever the hardware shows up.
IPv6 DNSBL lookups trip people up. You don't reverse octets like IPv4, you reverse every nibble of the full 128-bit address into the query name. If your blacklist checks were written for IPv4, odds are they're silently not checking your IPv6 mail at all.
If you still have monitoring scripts that hit an OCSP responder to judge cert health, they're on borrowed time. Let's Encrypt killed OCSP and others are following. Stop building tooling that assumes a live responder; lean on short lifetimes and automated renewal.
My favorite class of bug: works in my browser, broken everywhere else. A missing intermediate cert is invisible to you because your browser cached it once, but a fresh container or mobile client can't build the chain. Always test certs from something with no cache.
DNSSEC fails closed. One broken signature anywhere in the chain and validating resolvers return SERVFAIL, so the record just vanishes for those clients. Before you blame the app, confirm the zone actually validates: https://t.co/mStpGbaASQ
Add IPv6 to your mail servers and you start cold. New IPv6 addresses have zero sending reputation, and most blacklists track it at the /64 or /48 level, not per address. If your RBL monitoring is IPv4-only, an IPv6 listing can sink delivery and you'd never see it.
The scariest monitoring failures are the silent ones. An access link expires, the nightly pull returns a 404, your dashboard keeps showing yesterday's good numbers, and reputation slips for weeks before anyone looks. Alert on empty results, not just on errors.
OCSP is going away. Let's Encrypt shut down its responder and browsers moved revocation into CRLSets and CRLite. The lever that matters now is short lifetimes: a cert that rotates every few weeks limits exposure better than a revocation check that failed open ever did.
I maintain NetDNS2, a pure-PHP DNS library: resolver and updater, DNSSEC validation, DNS-over-TLS and DNS-over-HTTPS, EDNS0, TSIG, RFC 2136 dynamic updates. No C extension to compile, just PHP. https://t.co/uY671No3RY
A clean sending IP won't save you if a link in your email points at a domain someone else burned.
IP and domain reputation are scored separately and fail separately. Listed IP, clean domain? Host issue. Clean IP, listed domain? don't fix the mail server.
https://t.co/cJsFaFJzhp
Wrote a PHP extension for QUIC: raw transport, client + server, real streams. Built straight on OpenSSL 3.5's native QUIC stack. No ngtcp2, no quiche, no Rust, no FFI. HTTP/3, DNS-over-QUIC, or your own protocol on top. https://t.co/bm3dCcbgFJ
I moved my whole AWS fleet to Graviton. The pitch isn't raw speed, it's price/performance: more work per dollar.
90% of the migration was trivial. The other 10% is one unmaintained arm64 binary you forgot about.
What I learned: https://t.co/uoNRFqqTL1
Cert lifetimes are dropping toward 47 days. Manual renewal is now a backlog, not a workflow.
ACME automates issuance, but it fails quietly: a reload that never runs, a flaky dns-01 challenge, a rotated key. Monitor the endpoint, not the script.
https://t.co/zzZVlDhDgP
I spent a while scaling out an API I run and wrote up the stuff nobody tells you: rate limiting up front, single-flight to kill cache stampedes, reads to replicas, connection pooling, and when NOT to run an API on Lambda.
https://t.co/AijQeDr1QX
Most certificate outages aren't sophisticated. A cert expires on a forgotten load balancer, an intermediate drops from the chain, a renewal fails quietly for weeks.
Monitor the endpoint users connect to, not the script meant to renew it.
https://t.co/U76TCiFrbu
Microsoft's 2026 SNDS changes can silently break your Outlook reputation monitoring:
- New portal URL
- Automated links now expire in 30 days (404 in your cron job)
- New OAuth 2.0 REST API
- Privacy-focused JMRP
What to fix:
https://t.co/OFiCAdiaQe