“Groovy Motherfucker”

This is A Big Deal. Makes stealing session cookies from other computers on your local network as easy as clicking a button. Will be interesting to see how big sites respond. Are we finally going to see HTTPS deployed on all pages?

MD5 collisions can be used to make SSL certificates that modern browsers will trust for any domain. This is a: Bad Thing.

OpenID provider which uses SSL client certificates, not passwords, to authenticate. Doesn’t work terribly well (I haven’t successfully logged in anywhere with it!), but a clever idea for an unphishable OpenID. [Update: I’ve got it working a couple of places now. Not clear at whose end the remaining bugs lie.]

This isn’t a bad deal at all: $15 for an SSL certificate recognized as valid by any moderately-recent webbrowser. Perfect for your home-run webmail server.