Security on Brad's Blog

Signal adds Post-Quantum SPQR Protocol

Mon, 17 Nov 2025 19:02:19 +1100

Overview

Signal has added post-quantum cryptography with a new protocol called the SPQR (Sparse Post-Quantum Ratchet). This combines with Signal’s existing Double Ratchet to form a Triple Ratchet system.

Signal uses the quantum-secure Key-Encapsulation Mechanism (ML-KEM 768) algorithm alongside traditional elliptic curve cryptography, which means attackers need to break both elliptic curve and ML-KEM cryptography to read messages.

Signal are rolling out this new protocol in multiple phases - initially allowing older non-SPQR clients to interact with up-to-date clients and for older sessions (which might last for years) to continue working. In their final phase (once Signal have determined that all clients support the new protocol) older sessions will be upgraded to use SPQR. These phases are being planned to ensure nothing changes from an end-user experience.

AI-Powered Spreadsheet Macro Security Analysis with Claude SDK

Thu, 13 Nov 2025 17:32:24 +1100

Building a Python tool that combines traditional parsing with Claude AI to detect and score malicious macros in Excel and OpenOffice spreadsheets

Post-Quantum Cryptography (PQC) and SSH/TLS

Fri, 31 Oct 2025 17:38:31 +0000

Preparing for the Quantum Future: A Practical Guide to Post-Quantum Cryptography

TL;DR

Advances in quantum processing capabilities are rapidly bringing forward the estimated date that a cryptographically relevant quantum computer (CRQC) will be available and previously strong encryption algorithms will be broken. With the recommended date for ceasing the use of traditional asymmetric cryptography now only years away in 2030, “Harvest now, decrypt later” attacks mean switching to Post-Quantum Cryptography (PQC) strong encryption algorithms is something to do today.

Project-Based MCP: Targeted on-demand AI Integration

Mon, 16 Jun 2025 15:40:33 +0000

Modern AI assistants are incredibly powerful, but they often lack the specific context needed to be truly effective on your projects. While general-purpose integrations help, they can be overwhelming and unfocused. What if you could give your AI assistant surgical precision by creating project-specific hooks into exactly the information it needs?

Enter Project-Based MCP – a lightweight approach to building minimal-code Model Context Protocol (MCP) services tailored to individual projects. Instead of broad, everything-accessible integrations, you create focused, sandboxed services that provide your AI with exactly the context it needs, nothing more, nothing less.

openssl s_client - SNI testing with -servername

Mon, 13 May 2019 14:05:37 +0000

When testing network connections to a server using the TLS SNI extension to allow a single IP address to respond with different certificates the openssl s_client program supports this with the -servername command-line option:

-servername name Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. If -servername is not provided, the TLS SNI extension will be populated with the name given to -connect if it follows a DNS name format. If -connect is not provided either, the SNI is set to “localhost”. This is the default since OpenSSL 1.1.1. Even though SNI should normally be a DNS name and not an IP address, if -servername is provided then that name will be sent, regardless of whether it is a DNS name or not. This option cannot be used in conjunction with -noservername.

Which ssh publickey was used to access an account

Mon, 10 Jul 2017 01:23:25 +0000

When you have more than one public key set up to be able to access a single account (ie more than one public key listed in the authorized_keys you may want to check which public key was used to make a login). Since openssh 6.3 (released 2013) the public key fingerprint is logged - for example the below shows a set of made up “Accepted publickey” entries from an ssh auth.log:

Protecting Joomla : User-Registration Spam Relay

Sat, 18 Jul 2015 10:35:05 +0000

The Problem: A Default Setting

By default user registration is enabled. It’s important to realise that even though links to the user registration page may not have been included in the design of a Joomla site the components are still present and they will be regularly targetted by automatic spiders searching for vulnerable sites. Check access logs for requests to paths like:

/index.php/shop-login
/index.php/shop-login?view=registration&layout=complete
/index.php/component/users/?view=registration
/index.php/component/user/?task=register
/index.php?option=com_user&view=register

With user registration enabled scripts can use a Joomla site as an open mail relay by registering users with target email addresses and inserting spam/attack payload into the user details. The Joomla site will send a confirmation email to the target email address, and any email tracing of the source of the email will lead directly to the weakened Joomla server.