Hacker News: Ayesh

New comment by Ayesh in "DNS-Persist-01: A New Model for DNS-Based Challenge Validation"

Ayesh — Wed, 18 Feb 2026 20:16:49 +0000

I think the previous post is talking about a search that will find the sibling domain names that have obtained certificates with the same account ID. That is a strong indication that those domains are in the same certificate renewal pipeline, most likely on the same physical/virtual server.

New comment by Ayesh in "DNS-Persist-01: A New Model for DNS-Based Challenge Validation"

Ayesh — Wed, 18 Feb 2026 20:13:27 +0000

I'm surprised the ballot passed, unanimously even! I get that storing the DNS credentials in the certificate renewal pipeline is risky, but many DNS providers have granular API access controls, so it is already possible to limit the surface area in case the keys get leaked. Plus, you can revoke the keys easily.

The ACME account credentials are also accessible by the same renewal pipelines that has the DNS API credentials, so this does not provide any new isolation.

~It's also not quite clear how to revoke this challenge, and how domain expiration deal with this. The DNS record contents should have been at least the HMAC of the account key, the FQDN, and something that will invalidate if the domain is transferred somewhere else. The leaf DNSSEC key would have been perfect, but DNSSEC key rotation is also quite broken, so it wouldn't play nice.~

Is there a way to limit the challenge types with CAA records? You can limit it by an account number, and I believe that is the most tight control you have so far.

---

Edit: thanks to the replies to this comment, I learned that this would provide invalidation simply by removing the DNS record, and that the DNS records are checked at renewal time with a much shorter validation TTL.

New comment by Ayesh in "Google Public CA is down"

Ayesh — Wed, 18 Feb 2026 08:50:48 +0000

Yes, and it's not that long ago, or I aged really quickly.

For code signing certificates and EV certificates, (and OV certificates, if they are even alive), this is still the case.

New comment by Ayesh in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"

Ayesh — Tue, 10 Feb 2026 13:26:53 +0000

LetsEncrypt doesn't see your private key when you obtain the certificate. So no, it's not _really_ a juicy target.

New comment by Ayesh in "Notepad++ hijacked by state-sponsored actors"

Ayesh — Mon, 02 Feb 2026 06:55:53 +0000

If you update via Winget, you are probably safe.

Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...

New comment by Ayesh in "Pricing Changes for GitHub Actions"

Ayesh — Wed, 17 Dec 2025 08:24:07 +0000

Microsoft had a very fair shot at redeeming themselves, but with how Teams, GitHub and all the AI crap they push into GitHub and Windows, it's clear they have not changed one bit.

New comment by Ayesh in "Valve: HDMI Forum Continues to Block HDMI 2.1 for Linux"

Ayesh — Thu, 11 Dec 2025 10:24:55 +0000

I know that HN replies must carry some substance, unlike majority of Reddit comments. But I wanted to say that this comment read line a poem to me.

New comment by Ayesh in "So you want to speak at software conferences?"

Ayesh — Wed, 10 Dec 2025 02:04:12 +0000

Local meetups are very easy to get selected into, and they often have two or three speakers lined up, with a balance of speakers they know and are experienced, and new speakers.

Most of the time, the organizers are squeezed to find a speaker, so you are pretty much guaranteed to be offered a slot if you just ask the host.

New comment by Ayesh in "So you want to speak at software conferences?"

Ayesh — Wed, 10 Dec 2025 02:02:10 +0000

I imagine it'll go against your talk getting into the shortlist.

But there are some conferences that ask and respect your preference whether you'd like the video recording to have your face or just the audio. But I have yet to see a conference that go as far as asking the audience to not take photos of the presenter, so it's pretty much moot if you do not want your photos published at all.

New comment by Ayesh in "10 Years of Let's Encrypt"

Ayesh — Wed, 10 Dec 2025 01:55:13 +0000

To prove a very important point, that EV certificates are broken, someone obtained a "Stripe Inc." EV certificate by registering a company in a different state.

https://arstechnica.com/information-technology/2017/12/nope-...

(The original site is no more, but this Arstechnica article has screenshots and a good summary)

New comment by Ayesh in "10 Years of Let's Encrypt"

Ayesh — Wed, 10 Dec 2025 01:50:48 +0000

Considering how many ACME clients are available today with all sorts of convenient features, and that many web servers nowadays have ACME support built in (Caddy, Apache mod_md, and recent Nginx), I believe that people who don't automate ACME certificates are the people who get paid hourly and want to keep doing the same boring tasks to get paid.

New comment by Ayesh in "10 Years of Let's Encrypt"

Ayesh — Wed, 10 Dec 2025 01:41:29 +0000

https://github.com/letsencrypt/boulder

You can find a docker-compose.yml file to get some idea.

Appears to be using MariaDB.

They shut down OCSP responders and expiry email reminders, so there really is no need to have a database apart from rate limits, auth data, and caching.

For Certificate Transparency, they are submitted to Google and CloudFlare run trees but I don't think LetsEncrypt run their own logs.

New comment by Ayesh in "10 Years of Let's Encrypt"

Ayesh — Wed, 10 Dec 2025 01:30:57 +0000

As someone else mentioned, it's a non-profit, so I guess it's not technically possible to get acquired.

But I personally believe that the people behind LetsEncrypt genuinely care about the mission and will never sell out for their personal benefit.

If there was a list of organizations that bring the most impactful things to tech per each dollar received in donations and per each employee, ISRG will be up there at the top.

New comment by Ayesh in "10 Years of Let's Encrypt"

Ayesh — Wed, 10 Dec 2025 01:24:21 +0000

It's been a long time so this is my fading memory, but CAs used to generate a private key on their end and let you download both private key and the certificate containing the public key. The non-technical person who paid big money for the certificate then emails the zip file to the developer. That's when StartTLS wasn't that big back then either.

Just comically bad way to obtain certs.

New comment by Ayesh in "Fifteen Years"

Ayesh — Wed, 26 Nov 2025 02:40:33 +0000

This must be how winning in life feels like. I wish your family good health.

New comment by Ayesh in "PHP 8.5"

Ayesh — Fri, 21 Nov 2025 07:44:33 +0000

the MySQL extension was dropped in PHP 7.0.

New comment by Ayesh in "How two photographers transformed RAW photo support on Mac"

Ayesh — Wed, 19 Nov 2025 18:34:09 +0000

iOS shoots HEIF natively I think.

Raw photos probably are shot in DNG. DNG "images" are popular for raw images because theyb can be losslessly converted from to the camera raw formats like the Nikon's, and DNG is open source and royalty free.

New comment by Ayesh in "AWS deprecates two dozen services (most of which you've never heard of)"

Ayesh — Sat, 15 Nov 2025 21:14:24 +0000

Thank you. The linked third party article is a terrible incomplete rehash.

New comment by Ayesh in "URLs are state containers"

Ayesh — Sun, 02 Nov 2025 17:18:57 +0000

Canonical URLs come to the rescue.

New comment by Ayesh in "URLs are state containers"

Ayesh — Sun, 02 Nov 2025 17:17:04 +0000

> Everything after the '?' character.

It only strips known tracking parameters b(like those utm_ query params). It does not remove all parameters; if that's the case, YouTube video links will stop working.