Skip to content

Instantly share code, notes, and snippets.

@toddhgardner

toddhgardner/webpki-talk.md

Created December 19, 2025 19:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save toddhgardner/9a258820df0ae97825b7dca1c6198dd2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save toddhgardner/9a258820df0ae97825b7dca1c6198dd2 to your computer and use it in GitHub Desktop.
Download ZIP
Abstract for a new talk on WebPKI in 2026
Raw
webpki-talk.md

Everything you learned about SSL is deprecated

Remember your first HTTPS server? RSA keys, year+ certificates, and some openssl incantation you copied from StackOverflow. That's all outdated now.

TLS 1.3 threw out decades of cipher complexity. Snowden leaks moved Perfect Forward Secrecy from optional to mandatory. Let's Encrypt made certificates a free API call. And browser vendors are pushing certificate lifetimes down to 47 days.

This talk is a tour of modern SSL TLS. We'll cover what changed, why it changed, and what breaks if you don't make updates.

@BrandesEric
Copy link

BrandesEric commented Dec 19, 2025

Dude this is perfect. I forgot about the cipher simplification too. Man did that old list of ciphers get gnarly and long.

@robconery
Copy link

robconery commented Dec 19, 2025

Ha ha you know me I can't resist an open call for abstract feedback! Some thoughts...

Remember your first HTTPS server? RSA keys, year+ certificates, and some openssl incantation you copied from StackOverflow. That's all outdated now

I might suggest landing this more in the form of an empathy hook. Something like "In the early 2000s we learned that setting up SSL for our clients or projects took a load of time, money, and patience. It was worth it, however, because it made the web better. All those skills, however, are now sitting on a bookshelf in my head next to my copy of SOME_OBSCURE_BOOK."

I think this is an interesting opener - but it could also be stronger WRT to the problem you're trying to solve. Do people need to know how Let's Encrypt works in order to use it? Nowadays all of this is handled for people - including the renewal. What they might not know is the difference between RSA and something like elliptical curve, which is what Cloudflare gives you (and what it prefers). They also might not know why 256 needs to be phased out in favor of 512 or stronger, and why that's important.

You could even go deeper into how asymmetric key encryption works, and how quantum machines might be able to crack 256 in a very short time. Either way - I would suggest a stronger hook :).

@toddhgardner
Copy link
Author

toddhgardner commented Dec 29, 2025

Thanks so much for the feedback @robconery!

What has surprised me in the past year is how much infrastructure still deals with certificates directly. Not so much the new systems built in the cloud, but a huge number of important systems still running on-prem and requiring RSA certificates for obscure reasons. This talk is targeting those folks primarily, and everything that changed while they weren't paying attention.

asymmetric keys and quantum is definitely in scope for the talk.

How about this for a better hook?

Most of us learned certificates through Stack Overflow and tribal knowledge. Enough to make the padlock appear, not enough to really explain why. That was just fine when certificates lasted a year, but it that's about to end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment