Michal Špaček

Díky za (virtuální) návštěvu přednášky, těší mě, že se líbila :-)

Automatic passkey creation in Chrome for Android  |  Blog  |  Chrome for Developers Chrome for Android can now automatically create passkeys after password sign-in, helping users transition to passkeys with less friction.

Chrome for Android can now help users adopt passkeys more seamlessly.

If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.

developer.chrome.com/blog/automat...

Upper part of the image is a Dilbert comic titled "Tour of Accounting" where in the first frame there's Dilbert presumably in hell, because there's a creature resembling a cute devil next to him. The creature is saying "Over here we have our random number generator." In the next frame there's another creature saying "Nine nine nine nine nine nine". In the last frame Dilbert asks "Are you sure that's random?" while the creature from the first frame responds "That's the problem with randomness, you can never be sure." Below the strip is a screenshot of a code using a random number generator: > random_int(0, 29) = 9 > random_int(0, 29) = 9

My random number generator just did a Dilbert

Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct

You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...

Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)

Chrome Certificate Viewer displaying a certificate without the CN field: In "Issued To" it says "Common Name (CN) <Not Part Of Certificate>"

Chrome developer tools Security tab, the Subject field is empty when the certificate has no CN

Firefox certificate viewer says "(unknown)" in the tab title when viewing a certificate without a CN field.

Just got one certificate using the tlsserver profile and of course as expected, the browsers are doing just fine, they just omit the field (Chrome), or say unknown (Firefox, could be confusing though).

There's another @letsencrypt.bsky.social certificate type ("profile") that doesn't come with a CN (Common Name) field anymore: the tlsserver profile.

It's a 90 day cert, its properties "reflect the latest recommendations from the CA/Browser Forum Baseline Requirements, as well as general trends."

Profiles A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt...

Such certificates are not very common today, but they will be more common in the future. For example Let's Encrypt's short-lived 6 day certificates do not have the CN field letsencrypt.org/docs/profiles/

You can find a cert without the CN field for testing here letsencrypt.org/2025/02/20/f...

HTTPS certificates can exist without the CN (Common Name) field. It's not used for validation, instead browsers use the SAN (Subject Alternative Names) field.

But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates

420: Czech your DNS cache (420 is the CZ phone country code and this is a lame joke of mine 😅)

😅

"Refresh DNS" RFC draft as written by ChatGPT because bots frustrate me "Refresh DNS" RFC draft as written by ChatGPT because bots frustrate me - "Refresh DNS" RFC draft prompt.txt

Here's a draft written by ChatGPT 😁 It has defined the new code 432 and even a new media type application/dns-refresh+json that would provide more details on why do you feel the client should refresh their cache gist.github.com/spaze/c1e100...

There should be an HTTP response code in the 4xx range that would instruct the client to refresh their stale DNS records. Even after 48 hours some bots (looking at you Palo Alto Networks) are using the old IP for a hostname, while the DNS records have TTL of 5 minutes or so.

Someone in my DMs: Hi Do you have any debit card information you can share with me? I’m struggling atm. Need help Me: Yeah, it’s a matte plastic Visa debit card, issued by a local bank. Made in 2024. The chip’s shiny. Hope that helps!

Here's one information for you: should be more specific when phishing IT folks

GiveWP (the donations WordPress plugin) managed to leak donors' emails into the donation form. And then they managed to mess up the communication :-( Nice resume of the problem at the Pi-hole blog as they were one of the affected sites pi-hole.net/blog/2025/07... Go and learn how to communicate.

Absolutely! I hope that translates to free data transfers! Or maybe not 😅

A Linux login screen after signing in, shows "Temperature: -273.1 C"

Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center

My last name (Špaček) means starling in Czech. This guy used my veeery distant relative to store an image, nice 😁 Looking forward to an update to RFC 1149 where you don't need a small scroll of paper but instead use the carrier itself to store the data.

Just remembered Wolf3D had no multiplayer, but we've still managed to play it co-op style with a friend of mine: the two of us were sitting at one computer, he was using the arrow keys to navigate, I was using the spacebar to shoot. I also remember the headache after many hours of nonstop action 😅

id Software - Wikipedia

I was today years old when I found out that the name of the company who's created Wolfenstein 3D and Doom, id Software, is pronounced "id software", "id" as in "kid", not "eye dee software" That's some 30 years after playing the games...
en.wikipedia.org/wiki/Id_Soft...

Git reflog is a log of what happened in your repo. Commited this, amended that, reset to this etc. It has references (the "ref" in reflog) which you can use to get back to a previous state of your repository. For me, a highly useful feature, probably not that well known. It has saved me many times.

It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.

A screenshot from a terminal with a curl output that shows an HTTP response with "HTTP/1.1 404 This is a not found page source trust me bro" HTTP status code and reason, followed by some other standard HTTP response headers like Date, Content-Type, Transfer-Encoding and Connection, all with rather expected values.

What do you do when you can't sleep? I fine-tune my HTTP reasons 💤

Screenshot of ChatGPT sending me my temp pic, my reaction "fuck me thats cool" with ChatGPT responding back with some JSON.

I've asked ChatGPT to generate me a temp profile picture and when I've praised the creation it didn't know what to say, so it gave me back some JSON with a prompt that has resembled my instructions. ChatGPT then claimed, multiple times that I asked for the JSON 😁 I haven't talked about JSON before.

Stored XSS via an archive file stored in a RAR archive, nice 😁 Fixed in WinRAR 7.12 released yesterday.

Oops, being a web developer can be dangerous! 🤣

I have a battery powered outdoor camera, it can last several weeks on a single charge in that environment. But suddenly, the battery went from 20% to 0% overnight. I was curious what happened so I checked the last pic it has recorded. Yeah, thanks little fella 😂

The 16-billion-record data breach that no one’s ever heard of Researchers discovered 16 billion exposed login credentials from infostealer malware, creating unprecedented risks for account takeovers.

1) I call BULLSHIT on this latest claim of a 16-billion record data breach "that no one's ever heard of".

Let me explain why (thread).

cc @dangoodin.bsky.social

cybernews.com/security/bil...

Oh, I can also see it spinning on one of my sites, but not on the other even if both are the same codebase, the same app. Also found yet another .cz site where the icon spins. Spooky.