Want to help shape the cryptography that ends up in Internet standards? CFRG is looking for Crypto Review Panel members. Self-nominations welcome. Two-year renewable term.
Send nominations by April 20: cfrg-chairs@ietf.org
wiki.ietf.org/group/cfrg/C...
Also: new draft work on authenticated ECH config distribution and rotation with Dennis Jackson and Alessandro Ghedini, plus interop work here:
www.ietf.org/archive/id/d...
github.com/grittygrease...
That is why signed ECH config updates are interesting. The goal is not just "more crypto." The goal is to remove the deployment constraint that created a stable fingerprint in the first place.
This is the deployment lesson: privacy is not just about cryptographic correctness. It is about operational indistinguishability too. Rollout paths, retry paths, and recovery paths all matter.
That meant protected traffic still had a cheap classification handle. In other words: ECH stopped sticking out at one layer, and started sticking out at another.
But real deployments still created a visible pattern. The issue was not the ECH extension. It was config update and recovery behavior, which pushed clients toward a common outer name in the clear.
GREASE did part of that job. It made ECH-shaped traffic common, so the syntax itself did not stand out.
ECH's design goal is "do not stick out." The basic idea is simple: if encrypted connections all look similar, it is harder to classify, monitor, and block them.
ECH exposed a hard truth about privacy technology: you can win at the protocol layer and still lose at the deployment layer.
I wrote about it here:
cdt.org/insights/do-...
I had a wonderful time at RWC again this year. What a lovely group of people.
The room gets philosophical. Cryptography & Society chaired by Nick Sullivan ( @nicksullivan.org ): what is crypto hiding from itself? Security vs. interoperability? CRA policy? Proofs that aren't enough? And Nadim Kobeissi on teaching crypto in post-crisis Lebanon. #realworldcrypto
I’m back in Taipei for Real World Crypto, then Tokyo next week for IETF by proxy. Let me know if you’re around!
Encrypted Client Hello is now RFC 9849
This RFC defines an extension to Transport Layer Security that improves privacy for web users. Huge team effort and a win for the internet at large. Now to get deployment up...
Some words I wrote about this for @cdt.org: cdt.org/insights/enc...
I put together a job site for cryptography roles. It's in alpha, so please send me your bugs!
jobs.cryptography.consulting
USENIX Enigma has published its CFP for 2026: www.usenix.org/conference/u...
Submissions are due March 31, 2026. Looking forward to seeing many of you this year.
I’m happy to be joining the USENIX Security ’26 Enigma organizing committee this year, after having the chance to speak at Enigma three times. It has a long history as a home for early, practice-driven security ideas, often where work first gets aired before it’s fully polished or widely deployed.
Software has eaten the world. Banks, hospitals, power grids, planes. If the ground liquefies, everything built on it sinks. We're not talking about bad code anymore. We're talking about infrastructure failure at scale.
Liquefaction is what happens when shaking meets saturated ground. The soil loses structure and behaves like liquid. Buildings sink. In software: unverified code + relentless velocity + strained review = a codebase that can't hold weight.
And verification doesn't scale for free. 38% say reviewing AI code takes *more* effort than human code. Werner Vogels calls this verification debt. It compounds silently until something breaks.
🔗 buildwithaws.substack.com/p/werner-vog...
Same survey: 96% of devs don't fully trust AI output. But only 48% say they always verify before committing. That gap is where bugs live. That gap is where security dies.
🔗 www.sonarsource.com/company/pres...
Here's where it gets uncomfortable. Devs now say ~42% of their code is AI-generated. Projected to hit 65% by 2027. The codebase is becoming porous.
🔗 www.sonarsource.com/company/pres...
AI isn't coming; it's already in the pipes. Over 1.1M public repos now depend on an LLM SDK. Almost 700K of those appeared in the last 12 months alone. +178% YoY.
🔗 github.blog/news-insight...
Forget counting lines. Watch the flow. GitHub saw 518M pull requests merged in 2025, up 29% from the year before. That's not growth, that's a flood.
🔗 github.blog/news-insight...
Software Heritage archived over 22 billion unique source files by end of 2024. That's just public code they could find. The real number is unknowable, and growing faster than anyone can track.
🔗 annex.softwareheritage.org/public/annua...
Here's the scale we're dealing with: roughly 2.8 trillion lines of code written in the last 20 years. A huge chunk of that? Just the last two. The acceleration is the story.
🔗 medium.com/modern-stack...
AI coding is an earthquake for software security. Not a tremor. The kind that liquefies the ground beneath your feet. We're mid-shake and most people are still debating if it's real.
🔗 github.blog/news-insight...
News! I’ll be joining the Internet Architecture Board(IAB) starting March 2026 at IETF 125 in Shenzhen(I’ll be participating remotely).
The IAB is part of the IETF ecosystem. It looks across Internet protocol work to provide architecture-level oversight and help keep the standards process healthy.
