Michal Špaček

HTTPS certificate industry phasing out less secure domain validation methods Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the...

When issuing a HTTPS certificate, the CA needs to make sure you own the domain, and one of the many methods is via email where they'll email you a link. This method will be discouraged in March 2026, disabled in March 2028. See security.googleblog.com/2025/12/http... + cabforum.org/2025/11/20/b...

GitHub - sharkdp/bat: A cat(1) clone with wings. A cat(1) clone with wings. Contribute to sharkdp/bat development by creating an account on GitHub.

Instead of `cat`, I use `bat`, "a cat(1) clone with wings." github.com/sharkdp/bat

It supports syntax, line nrs, git etc. I have it aliased to `cat`.

If you'd like to concat multiple files into one (`cat 1 2 3 > foo`), you should run the original like `\cat`, seems faster, in my case up to 10x.

GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern while respecting your gitignore ripgrep recursively searches directories for a regex pattern while respecting your gitignore - BurntSushi/ripgrep

Best news I've discovered today is that ripgrep is also available for Windows and you can install it with winget (winget install ripgrep). ripgrep is like the grep utility in Linux, but a bit faster, it also accepts grep's params github.com/burntsushi/r...

Michal Špaček: Password Reuse Is a Dumpster Fire – We Brought a Hose YouTube video by Per Thorsheim

Michal Špaček @spazef0rze.bsky.social presenting his talk "Password Reuse Is a Dumpster Fire – We Brought a Hose" at #PasswordsCon in Prague, December 2, 2025.

youtu.be/AuCNgoDf-5c

Looking at my access logs, the easiest way to block web scanners & bots is to block requests with a User-Agent header that says "old browser" where old is -10 major versions and older😁 For example Chrome is v142 and bots use Chrome/120, 116 etc. It's mostly a fun idea but it seems like I need a PoC😅

TIL that OCI stands for "Oracle Cloud Infrastructure" and also "Open Container Initiative". I've first learned about the former ("Oracle Cloud Infrastructure") and just spent 5 minutes trying to understand a bug where they used OCI in the latter meaning ("resolves remote OCI artifacts")

Díky za (virtuální) návštěvu přednášky, těší mě, že se líbila :-)

Automatic passkey creation in Chrome for Android  |  Blog  |  Chrome for Developers Chrome for Android can now automatically create passkeys after password sign-in, helping users transition to passkeys with less friction.

Chrome for Android can now help users adopt passkeys more seamlessly.

If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.

developer.chrome.com/blog/automat...

My random number generator just did a Dilbert

Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct

You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...

Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)

Just got one certificate using the tlsserver profile and of course as expected, the browsers are doing just fine, they just omit the field (Chrome), or say unknown (Firefox, could be confusing though).

There's another @letsencrypt.bsky.social certificate type ("profile") that doesn't come with a CN (Common Name) field anymore: the tlsserver profile.

It's a 90 day cert, its properties "reflect the latest recommendations from the CA/Browser Forum Baseline Requirements, as well as general trends."

Profiles A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt...

Such certificates are not very common today, but they will be more common in the future. For example Let's Encrypt's short-lived 6 day certificates do not have the CN field letsencrypt.org/docs/profiles/

You can find a cert without the CN field for testing here letsencrypt.org/2025/02/20/f...

HTTPS certificates can exist without the CN (Common Name) field. It's not used for validation, instead browsers use the SAN (Subject Alternative Names) field.

But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates

420: Czech your DNS cache (420 is the CZ phone country code and this is a lame joke of mine 😅)

😅

"Refresh DNS" RFC draft as written by ChatGPT because bots frustrate me "Refresh DNS" RFC draft as written by ChatGPT because bots frustrate me - "Refresh DNS" RFC draft prompt.txt

Here's a draft written by ChatGPT 😁 It has defined the new code 432 and even a new media type application/dns-refresh+json that would provide more details on why do you feel the client should refresh their cache gist.github.com/spaze/c1e100...

There should be an HTTP response code in the 4xx range that would instruct the client to refresh their stale DNS records. Even after 48 hours some bots (looking at you Palo Alto Networks) are using the old IP for a hostname, while the DNS records have TTL of 5 minutes or so.

Here's one information for you: should be more specific when phishing IT folks

GiveWP (the donations WordPress plugin) managed to leak donors' emails into the donation form. And then they managed to mess up the communication :-( Nice resume of the problem at the Pi-hole blog as they were one of the affected sites pi-hole.net/blog/2025/07... Go and learn how to communicate.

Absolutely! I hope that translates to free data transfers! Or maybe not 😅

Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center

My last name (Špaček) means starling in Czech. This guy used my veeery distant relative to store an image, nice 😁 Looking forward to an update to RFC 1149 where you don't need a small scroll of paper but instead use the carrier itself to store the data.

Just remembered Wolf3D had no multiplayer, but we've still managed to play it co-op style with a friend of mine: the two of us were sitting at one computer, he was using the arrow keys to navigate, I was using the spacebar to shoot. I also remember the headache after many hours of nonstop action 😅

id Software - Wikipedia

I was today years old when I found out that the name of the company who's created Wolfenstein 3D and Doom, id Software, is pronounced "id software", "id" as in "kid", not "eye dee software" That's some 30 years after playing the games...
en.wikipedia.org/wiki/Id_Soft...

Git reflog is a log of what happened in your repo. Commited this, amended that, reset to this etc. It has references (the "ref" in reflog) which you can use to get back to a previous state of your repository. For me, a highly useful feature, probably not that well known. It has saved me many times.

It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.

What do you do when you can't sleep? I fine-tune my HTTP reasons 💤