Michal Špaček
@spazef0rze.bsky.social
In your web, securing your app. Hacker, webdev, speaker, engineer. Security shoptet.cz, ex-report-uri.com, ex-teenager. HTTPS = How To Transfer Private Sh💩. Also https://infosec.exchange/@spazef0rze
Pinned
Michal Špaček
@spazef0rze.bsky.social
· Nov 15
Origin, site, eTLD, eTLD+1, public suffix, PSL. What are they?
We call it pages, domains, servers, websites, internets and we hope the other party will understand. Maybe, maybe not, but that can always be cleared with the additional “wait, a server, don't you mea...
www.michalspacek.com
Origin, site, eTLD, eTLD+1 and PSL are the terms I use in almost every post or talk and I needed a place to explain and compare them. This post started as a talk about something completely different, so... now I have to write the original one, too 😅 www.michalspacek.com/origin-site-...
TIL that OCI stands for "Oracle Cloud Infrastructure" and also "Open Container Initiative". I've first learned about the former ("Oracle Cloud Infrastructure") and just spent 5 minutes trying to understand a bug where they used OCI in the latter meaning ("resolves remote OCI artifacts")
October 29, 2025 at 8:57 PM
TIL that OCI stands for "Oracle Cloud Infrastructure" and also "Open Container Initiative". I've first learned about the former ("Oracle Cloud Infrastructure") and just spent 5 minutes trying to understand a bug where they used OCI in the latter meaning ("resolves remote OCI artifacts")
Reposted by Michal Špaček
Chrome for Android can now help users adopt passkeys more seamlessly.
If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.
developer.chrome.com/blog/automat...
If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.
developer.chrome.com/blog/automat...
Automatic passkey creation in Chrome for Android | Blog | Chrome for Developers
Chrome for Android can now automatically create passkeys after password sign-in, helping users transition to passkeys with less friction.
developer.chrome.com
October 10, 2025 at 3:47 AM
Chrome for Android can now help users adopt passkeys more seamlessly.
If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.
developer.chrome.com/blog/automat...
If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.
developer.chrome.com/blog/automat...
My random number generator just did a Dilbert
September 23, 2025 at 11:17 PM
My random number generator just did a Dilbert
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct
September 18, 2025 at 10:31 PM
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct
Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)
September 14, 2025 at 10:02 PM
Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)
HTTPS certificates can exist without the CN (Common Name) field. It's not used for validation, instead browsers use the SAN (Subject Alternative Names) field.
But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates
But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates
August 23, 2025 at 2:28 PM
HTTPS certificates can exist without the CN (Common Name) field. It's not used for validation, instead browsers use the SAN (Subject Alternative Names) field.
But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates
But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates
There should be an HTTP response code in the 4xx range that would instruct the client to refresh their stale DNS records. Even after 48 hours some bots (looking at you Palo Alto Networks) are using the old IP for a hostname, while the DNS records have TTL of 5 minutes or so.
August 8, 2025 at 11:26 AM
There should be an HTTP response code in the 4xx range that would instruct the client to refresh their stale DNS records. Even after 48 hours some bots (looking at you Palo Alto Networks) are using the old IP for a hostname, while the DNS records have TTL of 5 minutes or so.
Here's one information for you: should be more specific when phishing IT folks
August 1, 2025 at 3:16 PM
Here's one information for you: should be more specific when phishing IT folks
GiveWP (the donations WordPress plugin) managed to leak donors' emails into the donation form. And then they managed to mess up the communication :-( Nice resume of the problem at the Pi-hole blog as they were one of the affected sites pi-hole.net/blog/2025/07... Go and learn how to communicate.
Compromised Donor Emails: A post-mortem – Pi-hole
pi-hole.net
August 1, 2025 at 2:56 PM
GiveWP (the donations WordPress plugin) managed to leak donors' emails into the donation form. And then they managed to mess up the communication :-( Nice resume of the problem at the Pi-hole blog as they were one of the affected sites pi-hole.net/blog/2025/07... Go and learn how to communicate.
Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center
July 29, 2025 at 3:14 PM
Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center
My last name (Špaček) means starling in Czech. This guy used my veeery distant relative to store an image, nice 😁 Looking forward to an update to RFC 1149 where you don't need a small scroll of paper but instead use the carrier itself to store the data.
New doc releases today!
- Ultrasonic recording of a starling that can record and playback virtually any sound
- Analyzing incredible slowed-down bird songs
- Showing you how to do this (and way more) on the cheap
youtu.be/hCQCP-5g5bo
- Ultrasonic recording of a starling that can record and playback virtually any sound
- Analyzing incredible slowed-down bird songs
- Showing you how to do this (and way more) on the cheap
youtu.be/hCQCP-5g5bo
I Saved a PNG Image To A Bird
YouTube video by Benn Jordan
youtu.be
July 28, 2025 at 5:32 PM
My last name (Špaček) means starling in Czech. This guy used my veeery distant relative to store an image, nice 😁 Looking forward to an update to RFC 1149 where you don't need a small scroll of paper but instead use the carrier itself to store the data.
I was today years old when I found out that the name of the company who's created Wolfenstein 3D and Doom, id Software, is pronounced "id software", "id" as in "kid", not "eye dee software" That's some 30 years after playing the games...
en.wikipedia.org/wiki/Id_Soft...
en.wikipedia.org/wiki/Id_Soft...
id Software - Wikipedia
en.wikipedia.org
July 26, 2025 at 6:05 PM
I was today years old when I found out that the name of the company who's created Wolfenstein 3D and Doom, id Software, is pronounced "id software", "id" as in "kid", not "eye dee software" That's some 30 years after playing the games...
en.wikipedia.org/wiki/Id_Soft...
en.wikipedia.org/wiki/Id_Soft...
It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.
July 23, 2025 at 9:30 PM
It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.
What do you do when you can't sleep? I fine-tune my HTTP reasons 💤
July 9, 2025 at 12:53 AM
What do you do when you can't sleep? I fine-tune my HTTP reasons 💤
I've asked ChatGPT to generate me a temp profile picture and when I've praised the creation it didn't know what to say, so it gave me back some JSON with a prompt that has resembled my instructions. ChatGPT then claimed, multiple times that I asked for the JSON 😁 I haven't talked about JSON before.
July 7, 2025 at 9:12 PM
I've asked ChatGPT to generate me a temp profile picture and when I've praised the creation it didn't know what to say, so it gave me back some JSON with a prompt that has resembled my instructions. ChatGPT then claimed, multiple times that I asked for the JSON 😁 I haven't talked about JSON before.
Stored XSS via an archive file stored in a RAR archive, nice 😁 Fixed in WinRAR 7.12 released yesterday.
June 26, 2025 at 5:50 PM
Stored XSS via an archive file stored in a RAR archive, nice 😁 Fixed in WinRAR 7.12 released yesterday.
I have a battery powered outdoor camera, it can last several weeks on a single charge in that environment. But suddenly, the battery went from 20% to 0% overnight. I was curious what happened so I checked the last pic it has recorded. Yeah, thanks little fella 😂
June 25, 2025 at 3:03 PM
I have a battery powered outdoor camera, it can last several weeks on a single charge in that environment. But suddenly, the battery went from 20% to 0% overnight. I was curious what happened so I checked the last pic it has recorded. Yeah, thanks little fella 😂
Reposted by Michal Špaček
1) I call BULLSHIT on this latest claim of a 16-billion record data breach "that no one's ever heard of".
Let me explain why (thread).
cc @dangoodin.bsky.social
cybernews.com/security/bil...
Let me explain why (thread).
cc @dangoodin.bsky.social
cybernews.com/security/bil...
The 16-billion-record data breach that no one’s ever heard of
Researchers discovered 16 billion exposed login credentials from infostealer malware, creating unprecedented risks for account takeovers.
cybernews.com
June 19, 2025 at 9:10 PM
1) I call BULLSHIT on this latest claim of a 16-billion record data breach "that no one's ever heard of".
Let me explain why (thread).
cc @dangoodin.bsky.social
cybernews.com/security/bil...
Let me explain why (thread).
cc @dangoodin.bsky.social
cybernews.com/security/bil...
My mobile Chrome got bored and started spinning the site settings icon whenever I reload the page. It does that on 2nd reload but only on this particular site. What sorcery is that? What is Chrome trying to tell me? I don't see anything unusual when I click it. Or am I just tripping?
May 11, 2025 at 9:25 PM
My mobile Chrome got bored and started spinning the site settings icon whenever I reload the page. It does that on 2nd reload but only on this particular site. What sorcery is that? What is Chrome trying to tell me? I don't see anything unusual when I click it. Or am I just tripping?
When your boss tells you to go phishing but you can't just be bothered today.
May 8, 2025 at 3:56 PM
When your boss tells you to go phishing but you can't just be bothered today.
Reposted by Michal Špaček
🔐 Discover how Sec-HTTP headers and Content Security Policy (CSP) can help you create fast, good, and cheap solutions all at once.
At WebExpo 2024, @spazef0rze.bsky.social explained how fetch metadata protects public tools like an internal email generator without needing extra logins.
At WebExpo 2024, @spazef0rze.bsky.social explained how fetch metadata protects public tools like an internal email generator without needing extra logins.
Content Security Policy & fetch metadata: Your new security Swiss-army knife
May 28-30, 2025
webexpo.net
May 5, 2025 at 6:26 AM
🔐 Discover how Sec-HTTP headers and Content Security Policy (CSP) can help you create fast, good, and cheap solutions all at once.
At WebExpo 2024, @spazef0rze.bsky.social explained how fetch metadata protects public tools like an internal email generator without needing extra logins.
At WebExpo 2024, @spazef0rze.bsky.social explained how fetch metadata protects public tools like an internal email generator without needing extra logins.
CA/B Forum, a group of certificate authorities and browsers, voted for reducing HTTPS server certificate validity period from 398 days to 47 days eventually. The changes are currently in a review period, soon to be added to the so called Baseline Requirements.
April 16, 2025 at 2:25 PM
CA/B Forum, a group of certificate authorities and browsers, voted for reducing HTTPS server certificate validity period from 398 days to 47 days eventually. The changes are currently in a review period, soon to be added to the so called Baseline Requirements.
Certbot, the tool to get HTTPS certificates from Let's Encrypt and other CAs, has released version 4.0. Notable changes are the support for profiles, which is how you can select which certificate type you'd like. The 6-day certificates from Let's Encrypt later this year will be a special profile.
Release Certbot 4.0.0 · certbot/certbot
Added
The --preferred-profile and --required-profile flags allow requesting a profile.
https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
Changed
Certificates now renew with 1/3rd of l...
github.com
April 8, 2025 at 4:47 PM
Certbot, the tool to get HTTPS certificates from Let's Encrypt and other CAs, has released version 4.0. Notable changes are the support for profiles, which is how you can select which certificate type you'd like. The 6-day certificates from Let's Encrypt later this year will be a special profile.
It doesn't happen very often, but a new timezone was created earlier this year in March. It's called America/Coyhaique and has been created because a region called Aysén has stopped shifting from UTC-4 to -3 and will stay UTC-3 all year round, joining the Magallanes region below.
April 8, 2025 at 3:36 PM
It doesn't happen very often, but a new timezone was created earlier this year in March. It's called America/Coyhaique and has been created because a region called Aysén has stopped shifting from UTC-4 to -3 and will stay UTC-3 all year round, joining the Magallanes region below.
PHP has a function to compare two hashes (non-password hashes): hash_equals.
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
March 14, 2025 at 7:32 PM
PHP has a function to compare two hashes (non-password hashes): hash_equals.
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better: