“groovy mother...”

MD5 collisions can be used to make SSL certificates that modern browsers will trust for any domain. This is a: Bad Thing.

OpenID provider which uses SSL client certificates, not passwords, to authenticate. Doesn’t work terribly well (I haven’t successfully logged in anywhere with it!), but a clever idea for an unphishable OpenID. [Update: I’ve got it working a couple of places now. Not clear at whose end the remaining bugs lie.]

This isn’t a bad deal at all: $15 for an SSL certificate recognized as valid by any moderately-recent webbrowser. Perfect for your home-run webmail server.