Privacy, encryption,
and secure communication.
Practical writing on the tools, protocols, and trade-offs behind private communication — without the marketing spin.
Infostealers and Stolen Sessions: Why Your Password Wasn't the Point
You did everything right — long password, 2FA, a password manager — and an attacker still logged in as you, without a password or a 2FA prompt. A whole class of commodity malware skips your login entirely and steals the cookie that proves you already logged in. How pass-the-cookie defeats MFA, and what actually stops it.
TLS Fingerprinting: How JA3 and JA4 Identify You Before You Send a Byte
Encryption hides your connection's contents, but the handshake that sets it up happens in the clear — and its exact shape identifies your software. JA3 and JA4 turn that shape into a fingerprint that can route, throttle, or block you on the spot. How it works, why JA3 broke, and what the redesign fixed.
SMTP Smuggling: How a Disagreement Over One Line Let Attackers Forge Email
SPF, DKIM, and DMARC are supposed to make sender spoofing impossible. In late 2023 a researcher slipped past all three at once — not by breaking any of them, but by exploiting a quiet disagreement between mail servers about where one message ends and the next begins.
Hardware Security Modules: Where the Keys That Protect Everything Actually Live
The keys behind TLS certificates, payment networks, and code signing don't sit in a file. They live inside tamper-resistant hardware engineered to erase its own contents rather than reveal them. A practical look at HSMs, FIPS levels, and the same idea shrunk into your phone.
Privacy Pass: Proving You're Human Without Being Tracked
Use Tor, a VPN, or a privacy browser and you get punished with endless CAPTCHAs — because the traits that protect you also make you look like a bot. Privacy Pass uses blind signatures to let you prove you earned trust, without the verifier ever learning who you are or linking your visits together.
The Privacy Sandbox and the Topics API: How the Browser Itself Became the Ad Profiler
The third-party cookie had to die — everyone agreed. Google's answer was to move ad profiling out of external trackers and into the one piece of software that sees everything you do online: your own browser. Whether that's a privacy win or a more efficient surveillance machine depends entirely on what you measure.
Global Privacy Control: The One-Setting Opt-Out That Actually Has Legal Teeth
Most privacy toggles are theater. GPC is the rare exception: a single browser signal that tells every site "do not sell or share my data" — and in California and a growing list of states, a business that ignores it is breaking the law. How it works, and exactly where it stops.
How Password Breach Checkers Look You Up Without Learning Your Password
"Type your password here and we'll tell you if it leaked" sounds like the worst security advice imaginable. Yet password managers do this check constantly without ever learning your password. The trick is a beautifully simple protocol called a k-anonymity range query.
Cwtch: The Messenger That Tries to Hide the Metadata, Not Just the Message
E2E encryption hides what you say but usually leaks who you talked to, when, and how often — and that pattern is often the more dangerous exposure. Cwtch is built on Tor onion services and untrusted servers to attack the metadata problem directly. An honest look at how, and what it costs.
ARC Explained: How Email Survives Mailing Lists Without Failing DMARC
You set up SPF, DKIM, and strict DMARC. Then a mailing list rewrites your subject and adds a footer, and your own rules bounce mail everyone wanted delivered. The Authenticated Received Chain is the standard built to fix exactly this — in a way that quietly runs on trust.
Evil Maid Attacks: When Full-Disk Encryption Isn't Enough
You encrypt your laptop, power it off, and leave it in a hotel room. The disk is unreadable — so the data is safe, right? Not against an attacker who can touch the powered-off machine, hand it back, and wait for you to type your passphrase into tampered boot code. Why two visits break the whole model, and what measured boot actually buys you.
ChaCha20-Poly1305 vs AES-GCM: Two Ways to Encrypt Everything
Every TLS connection picks one of two authenticated ciphers. Both are secure — so why does the internet need both, and why might your phone reach for one while your laptop reaches for the other? A small, instructive lesson in how cryptography meets hardware.
Session Messenger: No Phone Number, Onion Routing, Real Trade-offs
Session throws the phone number away entirely, gives you a random anonymous ID, and routes every message through an onion network. An honest look at what that buys you, what it costs, and who it's actually for.
RPKI: Putting Cryptographic Locks on Internet Routing
BGP runs the internet on blind trust — any network can claim to own any address block. RPKI adds a cryptographic check on who's allowed to. How Route Origin Validation works, and the path-forgery attacks it still can't stop.
Pi-hole: Network-Wide Tracker Blocking at the DNS Layer
A browser ad blocker protects one browser. A Pi-hole protects everything on your network — including the smart TV and IoT gadgets you can't install software on. How DNS sinkholing works, what it can't do, and where it fits in a privacy stack.
Spectre and Meltdown: When CPUs Leak Secrets by Guessing
Modern processors run ahead of themselves, executing instructions before they know the results are needed — then quietly discarding the work. The discarded work leaves a fingerprint in the cache, and that fingerprint can be read. How a speed trick became a way to read memory across security boundaries.
DNS Cache Poisoning: Forging the Internet's Phone Book
Slip a forged answer into a resolver's cache and every user of that resolver is silently sent to the wrong server. The 16-bit guessing game behind the attack, Kaminsky's unlimited-retries insight, and the layered defenses that finally raised the cost.
CSPRNGs: Why Secure Randomness Is Harder Than It Looks
Every key, nonce, and token your security depends on starts as a random number. Get the randomness wrong and the strongest cipher collapses. What "secure random" really means — and the production failures that prove how easy it is to get wrong.
Rowhammer: Flipping Bits You Were Never Allowed to Touch
By hammering one region of memory fast enough, an attacker can flip bits in a neighboring region they have no permission to write. How a physics quirk in DRAM became a real privilege-escalation weapon — and a decade-long defense arms race.
The Privacy Cost of Online Age Verification
Laws requiring sites to verify your age sound reasonable until you ask: verify it how? Most methods prove who you are and infer age from identity — building honeypots of the most sensitive data imaginable. The privacy math, and the cryptography that could fix it.
QUIC and HTTP/3: Encryption Baked Into the Transport
TCP predates the idea that the network might be hostile, so it encrypted nothing itself. QUIC rebuilds the transport with encryption woven through — hiding things from the network that have leaked since the 1980s, and opening a few new questions.
SRP: The Password Protocol That Never Sends Your Password
A server can verify you know your password without the password — or anything that could replay as it — ever crossing the wire. And a stolen database can't be used to log in. Here's how augmented PAKE works.
OMEMO: How XMPP Got Modern End-to-End Encryption
OMEMO ended the old choice between OpenPGP and OTR by porting Signal's Double Ratchet onto a federated, multi-device protocol. How it works — and where its limits still bite.
Cryptographic Agility: Designing to Replace Your Own Crypto
Every algorithm eventually breaks — you just don't know when. Agility is the discipline of building systems that can retire a broken primitive without a rewrite. The post-quantum transition is making it urgent.
WPA3: What Actually Changed in Wi-Fi Security
WPA3 killed the handshake that let anyone in radio range crack your password offline, and added encryption to open networks. How SAE works, what Dragonblood taught us, and what WPA3 still doesn't protect.
Tor Onion Services: How .onion Sites Actually Work
A .onion address connects two parties who never learn each other's IP — no DNS, no certificate authority, no exit node. The address is the public key. Here's the rendezvous protocol behind a connection to nowhere-in-particular.
ACME: How Let's Encrypt Issues Certificates Without a Human
A decade ago, HTTPS meant a form, a fee, and a yearly file-copying chore. Now a server obtains and renews a trusted certificate in seconds with no human involved. The protocol that made the padlock free — and what it deliberately leaves out.
Constant-Time Programming: Why Crypto Code Can't Branch on Secrets
The most dangerous bug in cryptographic code isn't a wrong answer — it's a correct answer that arrives a few nanoseconds early. How timing leaks recover keys, and why secure crypto code is written so strangely.
CVE and CVSS: How Vulnerability Scoring Actually Works
A "9.8 critical" headline tells you less than you think. How vulnerabilities get their CVE identifiers, how the CVSS number is computed, and why the score is the start of triage — not the verdict.
Faraday Bags: Physical Privacy When Software Isn't Enough
Airplane mode is a software setting your phone can be made to lie about. A Faraday bag is physics — it blocks the radio waves themselves. When that distinction matters, how the bags work, and where they fail.
SS7 Attacks: How Your Phone Number Betrays You
Underneath the apps sits a signaling network from the 1970s, built for a closed club of national telecoms who trusted each other completely. That club is gone — but the trust assumption was never removed, and your SMS codes pay the price.
Content Security Policy: The Header That Defangs XSS
Input sanitization alone has never fully closed cross-site scripting. CSP takes a different bet: assume a script eventually slips through, and make the browser refuse to run it anyway. Nonces, hashes, strict-dynamic, and the one mistake that ruins most policies.
S/MIME vs PGP: Two Ways to Encrypt Email, Two Trust Models
Both bolt public-key crypto onto a 1980s message format. Where they part ways is the question that actually decides email security: how do you know a public key really belongs to the person you think it does? CA hierarchy versus web of trust — and what neither one fixes.
Decentralized Identifiers: Identity Without a Gatekeeper
Nearly every login you use is rented — an account in someone else's database, revocable and observable on their terms. DIDs and verifiable credentials sketch a different arrangement: identity anchored in a key you hold, proof that doesn't phone the issuer home.
ARP Spoofing: How an Attacker Becomes the Middle of Your Network
On a local network, machines find each other by shouting a question and trusting whoever answers. ARP spoofing is the attack built entirely out of answering dishonestly — why it only works on your segment, and why HTTPS makes the attacker's seat nearly worthless.
Merkle Trees: One Hash to Vouch for Everything
Prove a single record belongs to a million-item dataset by checking a couple dozen hashes. The deceptively simple structure underneath Git, Bitcoin, and Certificate Transparency — built from first principles, with the logarithmic proof that makes it scale.
CSRF Explained: How One Forged Request Can Act As You
Cross-Site Request Forgery skips the login entirely and rides the session you already have open. Why cookies make it possible, what an attack actually looks like, and the three defenses — anti-CSRF tokens, SameSite cookies, Origin checks — that close the gap.
Clickjacking: When the Button You Click Isn't the One You See
A UI redress attack floats an invisible real page over a decoy so your genuine clicks land somewhere you never intended. How the two-layer trick works, the likejacking and cursorjacking variants, and why frame-ancestors shuts it down.
Juice Jacking: Should You Fear the Public Charging Port?
A USB cable carries data as well as power — the entire premise of juice jacking. The honest version: what the attack can do, why modern phones quietly engineered most of the risk away, and the cheap data blocker that makes it a non-issue.
Evil Twin Attacks: The Fake Wi-Fi That Looks Exactly Like the Real One
A rogue access point clones a network name your device already trusts, and your device connects on its own. Why the SSID proves nothing, what an evil twin can and can't see in the HTTPS era, and the defenses that actually hold.
Quantum Key Distribution: Encryption Secured by Physics
QKD secures a key with the laws of physics instead of the hardness of math — and guarantees any eavesdropper leaves fingerprints. How BB84 works, why it isn't the same as post-quantum crypto, and the practical reasons it isn't replacing the internet's cryptography.
Ring Signatures: Signing as a Group Without Revealing Who
Prove that someone in a group signed a message without revealing which member — no setup, no manager, no permission. The cryptography behind "How to Leak a Secret," how it differs from group signatures, and how it powers Monero.
Qubes OS: Security Through Compartmentalization
Most operating systems assume they can stay trustworthy. Qubes assumes the opposite and contains the damage. How its security-by-isolation model uses disposable VMs, what it protects against, and who actually needs it.
Private Information Retrieval: Querying Without Revealing the Query
Encryption protects the data in a database, but the query you send leaks just as much. PIR lets you fetch a record without the server learning which one. The two families of schemes, and where it's quietly shipping in real products.
Steganography: Hiding Messages in Plain Sight
Encryption hides a message's contents; steganography hides that there's a message at all. How data gets tucked into images and audio, how steganalysis finds it, and why it's a layer on top of encryption — never a replacement.
Zero-Knowledge Proofs: Proving You Know a Secret Without Revealing It
Prove you're over 18 without showing your birthdate, or that you know a password without sending it. A practical walk through the math — completeness, soundness, the cave analogy — plus zk-SNARKs vs zk-STARKs and where they actually ship.
Homomorphic Encryption: Computing on Data You Can't Read
Almost every cipher makes you decrypt before you can compute. Homomorphic encryption breaks that rule — add and multiply over numbers a server can't read. How it works, the schemes that matter, and the products quietly shipping it.
Voice Cloning and Deepfake Fraud: The Scam That Sounds Like Family
AI can clone a voice from seconds of audio and fake a video call well enough to move millions. How synthetic-media fraud works, the cases that made it real, and the low-tech defenses — a family safe word, call-backs — that actually stop it.
Geofence Warrants: When Police Ask Who Was Near a Crime
A traditional warrant names a suspect. A geofence warrant names a place and a time, then demands every device that was there. How they work, the court split over their constitutionality, and the engineering change that quietly defanged them.
Diceware: A Password You Can Remember and a Computer Can't Guess
Most strong passwords are unmemorable; most memorable ones are weak. Diceware breaks the trade-off with a pair of dice and a word list — a passphrase you can hold in your head, with strength you can calculate to the bit.
Haven vs Proton, Tuta & Signal: An Honest Comparison
Proton, Tuta, and Signal are all good tools run by people who care. Here's a fair look at what each does well — and where Haven differs: encrypted email and chat under one identity, no phone number, a free tier that's actually free.
X3DH: How Signal Agrees on a Secret Key Before You're Online
Classic Diffie-Hellman needs both parties online at once. Messaging doesn't work that way. Here's the handshake that lets you derive a shared secret with someone whose phone is in a drawer.
The Noise Protocol Framework: The Crypto Behind WireGuard
WireGuard, WhatsApp's transport, and the Lightning Network share a foundation. A practical guide to how Noise builds secure handshakes from a few simple tokens.
Nonce Reuse: The Catastrophic Crypto Mistake
Reuse a nonce once and you can hand an attacker your plaintext, your forgery key, or your private signing key. The bug that sank WEP, a game console, and more than one TLS library.
DANE: Pinning TLS Certificates in DNS
DANE lets a domain owner declare which TLS certificate is legitimate using DNSSEC-signed records — bypassing the CA system entirely. It lost the browser fight but quietly secures email.
SimpleX Chat: Messaging Without User Identifiers
Signal needs your phone number. Most messengers assign a permanent account ID. SimpleX does neither — no user identifiers at all. An honest look at how that works and what it costs.
Memory Safety and the C/C++ CVE Crisis
Microsoft, Google, and the NSA all reached the same conclusion: roughly 70 percent of critical security bugs are memory safety bugs, and the cure is changing languages.
Certificate Revocation Is Broken (And What Replaced It)
CRLs were too big. OCSP leaked your browsing history. Soft-fail made revocation advisory. The web finally gave up and shortened certificate lifetimes instead.
DNS Rebinding: When Your Browser Attacks Your Router
A 30-year-old web attack that turns any browser tab into a beachhead inside your home network. Why it still works, and what actually stops it.
Typosquatting: How One Mistyped Package Owns Your Project
Malicious packages with names one keystroke away from popular libraries are a permanent fixture of npm, PyPI, and crates.io. Here's how the attack works and what blocks it.
age vs GPG: The Modern File Encryption Tool
GPG is powerful and ancient. age is a small, modern file encryption tool with one job and no legacy. Here's an honest look at when each fits.
Encrypted DNS Compared: DoH vs DoT vs DNSCrypt vs Oblivious DoH
Four protocols encrypt DNS queries, and they make very different trade-offs. A technical comparison of what each protects against, and what it doesn't.
Burner Phone Numbers in 2026: An Honest Guide
Disposable phone numbers used to be cheap and private. Both have changed. A practical comparison of MySudo, Hushed, Google Voice, prepaid SIMs, and data-only eSIMs.
Find My Networks: The Privacy Properties of Crowd-Sourced Tracking
Apple's Find My and Google's Find My Device network turn every iPhone and Android into a tracker for nearby objects. The cryptography is real — the residual risks are non-trivial.
Your Car Is a Privacy Nightmare: What Connected Vehicles Actually Collect
Modern cars collect more personal data than most apps, with fewer constraints. What connected vehicles actually track, who sees the data, and what you can do about it.
Self-Hosted Password Managers Compared: Vaultwarden, KeePassXC, Pass
Three serious self-hosted password managers compared honestly. Each takes a different approach. None is universally right.
HPKE Explained: Hybrid Public Key Encryption (RFC 9180)
HPKE is the modern, standardized way to encrypt to a public key — the building block under MLS, TLS Encrypted Client Hello, and Oblivious DoH. Here's what it does and why it replaces twenty-five years of ad-hoc KEM+AEAD glue.
DNSSEC Explained: How DNS Cryptographic Signatures Actually Work
DNSSEC adds signatures to DNS responses so resolvers can detect forgery. Twenty years on, it's still under-deployed and mildly controversial — and structurally important to the protocols that depend on it.
Padding Oracle Attacks Explained: When Decryption Errors Leak Plaintext
One bit of leaked information — "valid padding or not" — is enough to recover an entire plaintext, byte by byte. The attack class that brought down POODLE, Lucky 13, and a generation of CBC-mode protocols.
eSIM Privacy and Security: What Changes When the SIM Is Software
eSIM trades a removable chip for a remotely-provisioned profile. The cryptography is solid; the privacy surface shifts. What you actually gain, and what quietly goes away.
Encrypted Git Repositories Compared: git-crypt, git-secret, SOPS, and age
Four ways to keep secrets inside a git repo without leaking them. An honest comparison of git-crypt, git-secret, SOPS, and age — and which to reach for in 2026.
JWT Security Pitfalls: The Mistakes That Keep Breaking Tokens
JSON Web Tokens look simple. Three base64 chunks and a signature. The problem is that the format hands authors enough rope to hang an entire application — and the same handful of mistakes keep showing up in CVE feeds.
mTLS Explained: How Mutual TLS Authenticates Both Sides
Standard TLS proves the server. Mutual TLS proves the client, too. The mechanism is older than most people realize, and it's quietly become the backbone of zero-trust networking.
Secure Enclaves Compared: SGX, Secure Enclave, and TrustZone
Three names, three architectures, three threat models. A clear-eyed walk through how Intel SGX, Apple's Secure Enclave, and ARM TrustZone actually differ — and where each one breaks.
Sandboxing Desktop Linux: Firejail, Bubblewrap, and Flatpak
The Linux desktop has three serious sandboxing options, and they overlap in confusing ways. What each one actually isolates, where they fall short, and how to choose.
Privacy-Respecting Analytics: Beyond Google Analytics
Plausible, Fathom, Umami, and GoatCounter promise web analytics without surveillance. What they actually do, what they don't track, and where the trade-offs live.
Quishing: When a QR Code Is the Attack
A QR code is a link you can't read. Quishing exploits that blind trust, slipping past email filters built for clickable links and pivoting you onto your least-protected device — your phone.
BGP Hijacking Explained: How Internet Traffic Gets Stolen
The protocol that routes the entire internet runs on trust, with almost no way to tell a true claim from a false one. How hijacks reroute your traffic — and why encryption is your only real defense.
Email Tracking Pixels: The Invisible Spies in Your Inbox
A single transparent pixel reports the moment you opened an email, roughly where you were, and what device you used. How tracking pixels work — and the one toggle that shuts them off.
Why "Delete" Doesn't Delete: Data Remanence and Secure Erasure
Sending a file to the trash removes a pointer, not the data. Why SSDs broke the old wiping tools, why crypto-shredding is the modern answer, and how to actually erase a drive.
Data Retention Laws: How Long You Stay in the Logs
Governments often don't need to read your messages — they just need the logs to still exist. What mandatory data retention laws keep, and why encryption doesn't close the gap.
Mix Networks Explained: Why Tor Isn't the Last Word on Anonymity
Tor hides who you are from the websites you visit. It does not protect you from someone watching both ends of the network. Mix networks like Loopix and Nym were designed for that threat — and the price is latency.
Differential Privacy Explained: The Math That Lets Apple and Google Watch You Less
The only privacy definition that survives unbounded adversaries with unlimited side information. The math, the ε-budget, and what Apple's and Google's deployments actually buy you.
OAuth Consent Phishing: Stealing Your Account Without Your Password
An attacker doesn't need your Google password if they can convince you to click Allow on a fake app. Consent phishing bypasses 2FA, hardware keys, and password managers — and it has been actively exploited since 2017.
TPM 2.0 Explained: What the Trusted Platform Module Actually Does
The tiny chip on your motherboard that anchors disk encryption, secure boot, and hardware-backed keys. What it does, what it does not, and why Microsoft made it mandatory for Windows 11.
MAC Address Randomization: How Phones Try (and Often Fail) to Hide on Wi-Fi
Every Wi-Fi device broadcasts a hardware address that retailers and ad networks built tracking businesses on top of. iOS and Android now randomize it — and academic research has poked holes in the randomization.
Bluetooth Tracker Stalking: How AirTags Get Misused and How to Detect Them
A coin-sized disc that finds your keys can also follow a person without their knowledge. How crowd-sourced finding networks work, the cross-platform detection standard, and concrete steps to find a tracker on you.
Elliptic Curve Cryptography Explained: Why Smaller Keys Win
A 256-bit elliptic curve key matches a 3072-bit RSA key. That ratio is why TLS, Signal, and SSH all migrated to curves. The geometry behind it, why Curve25519 became the default, and the quantum caveat.
Diffie-Hellman Key Exchange Explained: Sharing a Secret in Public
Two strangers talking over a line everyone can hear can still agree on a secret no eavesdropper can recover. The paint-mixing intuition, the real math, the man-in-the-middle catch, and how ephemeral DH gives forward secrecy.
Authenticated Encryption (AEAD) Explained: Why Encryption Alone Isn't Enough
Encryption hides your data; it does not stop an attacker from tampering with it. AES-GCM and ChaCha20-Poly1305 deliver secrecy and integrity in one operation — and why nonce reuse is the cardinal sin.
Shamir's Secret Sharing Explained: Splitting a Key So No One Holds It
Split a secret into shares so any threshold rebuilds it and any fewer reveal nothing — provably, not just computationally. The line-through-points algebra behind it and where threshold schemes are used.
OPAQUE: Password Authentication That Never Sends the Password
The standard login model — type a password, send it, hope — has a structural flaw nobody has been able to fix without changing the protocol. OPAQUE changes the protocol. Here's the cryptography behind it.
Ed25519 vs RSA vs ECDSA: SSH Key Types Compared
Every SSH client supports at least three key algorithms. The differences aren't cosmetic — they touch the assumptions your keys rely on, the failure modes, and the size of the artifact you'll carry for the next decade.
MTA-STS and TLS-RPT: Forcing Encrypted Email Delivery
SMTP's STARTTLS is opportunistic by design — any on-path attacker can strip it. MTA-STS and TLS-RPT close that gap by letting domains advertise TLS as required, with reporting to detect when it fails.
HSTS and the Preload List: How Browsers Force HTTPS
Type bank.com into a browser and the first request leaves your machine in cleartext. HSTS closes that window — and the preload list closes it even before your browser has ever talked to the site. Getting on the list is a one-way door.
CAA Records: Telling CAs Who Can Issue for Your Domain
The WebPKI has roughly 70 trusted CAs. Without a CAA record, every one of them is allowed to issue a valid TLS certificate for your hostname. CAA reduces that set to whoever you've actually authorized.
The Signal Double Ratchet Algorithm, Explained
The algorithm behind Signal, WhatsApp, and Matrix Olm. How it delivers forward secrecy and post-compromise security in one protocol — and why it became the standard for 1:1 encrypted messaging.
TLS 1.3 vs TLS 1.2: What Actually Changed
TLS 1.3 dropped a decade of legacy ciphers, halved the handshake, and made forward secrecy mandatory. A clear look at the security and performance differences — and where deployments still fall back.
Argon2 vs bcrypt vs scrypt: Password Hashing Compared
Three serious password hash functions, three design philosophies. A pragmatic comparison of what each resists, where they differ in tuning, and what to actually pick in 2026.
WebRTC IP Leaks and How to Block Them
WebRTC needs your real IP to function — and any website can ask for it without permission. How the leak works, what your VPN does and doesn't fix, and the configurations that actually stop it.
Tor Bridges and Pluggable Transports: How Censorship Circumvention Works
Tor's relay directory is public, which makes it trivial to block. Bridges and pluggable transports — obfs4, meek, snowflake, webtunnel — are the architectural answer. Here's what each disguises and where each still works.
Messaging Without the Internet: Briar and the Case for Mesh
When infrastructure is hostile, mesh networking lets phones talk to each other directly over Bluetooth, WiFi, or Tor. Here's how Briar works and where mesh genuinely matters.
Sealed Sender: How Signal Hides Who's Messaging Whom
End-to-end encryption protects message contents, not metadata. Sealed sender is Signal's attempt to hide the "from" field — here's how it works and what it doesn't cover.
The Domain You Saw Wasn't the Domain You Got: Homograph Attacks Explained
Internationalized domain names let attackers register domains that look identical to real ones using non-Latin characters. Here's how Punycode phishing works and what stops it.
HKDF: Turning One Secret Into Many, Correctly
HKDF (RFC 5869) is the standard way modern protocols derive multiple keys from a single shared secret. Here's how extract-then-expand works and where it fits versus PBKDF2 and Argon2.
Subresource Integrity: The Hash Tag That Protects Web Apps
SRI lets browsers refuse to execute third-party scripts that don't match a known hash. It's a small attribute with outsized impact — but it doesn't cover what most people think.
EU Chat Control: What Client-Side Scanning Actually Means for Encryption
The EU proposes scanning your messages on-device before they're encrypted and sent. Here's the technical reality — and why cryptographers say it breaks end-to-end encryption by design.
Secure Enclaves and Trusted Execution Environments, Explained
Your phone's private keys live in hardware-isolated enclaves the main OS can't read. Here's how Secure Enclaves, TEEs, and TPMs actually work — and what attacks they can and can't stop.
Tails OS and Amnesic Computing: How to Leave No Trace
Tails boots from a USB stick, routes all traffic through Tor, and forgets every session on shutdown. For journalists and activists whose hardware could be seized, this changes the forensic calculus entirely.
Certificate Transparency Logs: What Your TLS Certificates Reveal
Every TLS certificate you issue is logged publicly and permanently. CT logs catch rogue certificate issuance — and expose your infrastructure to anyone who knows where to look.
Why Your Clock Is a Cryptographic Attack Surface
TLS certificate validation depends on accurate time. NTP is unauthenticated by default and can be spoofed. Here's how time attacks work and how NTS (RFC 8915) fixes them.
IMSI Catchers and Stingray Surveillance: What Your Phone Leaks to Fake Cell Towers
Cell site simulators are deployed by hundreds of law enforcement agencies worldwide. Here's what they actually capture, what 5G SA changes, and what application-layer encryption protects against.
Air-Gapped Computers: When and How to Use Offline Systems for High-Value Secrets
An air-gapped machine has never touched a network and never will. For PGP master keys, cryptocurrency seeds, and classified document handling, this is the only architecture that works — if done right.
Privacy-Preserving Payments: What Actually Works in 2026
Every credit card swipe is a surveillance event retained by banks, merchants, and data brokers. An honest comparison of cash, virtual cards, prepaid cards, and cryptocurrency — what each protects and against what.
Code Signing and Sigstore: How Software Supply Chain Integrity Works
SolarWinds was signed with a valid certificate. Signing proves the software came from a key — Sigstore's transparency log approach is what proves the key was used legitimately. A technical deep dive.
VeraCrypt and Encrypted Containers: Plausible Deniability and Hidden Volumes Explained
Two passwords, two entirely different decrypted contents — cryptographically, no forensic tool can prove a hidden volume exists. Here's how it works, when it matters, and its real operational limits.
National Security Letters: The Surveillance Tool That Comes with a Built-In Gag Order
NSLs are issued by the FBI without judicial review, with a statutory gag order attached. Here's what they can compel, how they appear in transparency reports, and what they mean for your privacy model.
Matrix: The Open Protocol for Federated Encrypted Messaging
Signal works well when everyone trusts the same company. Matrix is built for when they don't. A technical deep dive into federation, Olm/Megolm encryption, and the honest trade-offs.
Why Voice Calls Are Still Mostly Plaintext (And the Protocols That Fix It)
SS7, SRTP, ZRTP, and how Signal voice calls actually work. The phone system was designed without privacy; here's what end-to-end encrypted calls actually require.
Stalkerware: How Surveillance Apps Hide on Your Device
Commercial spyware sold legally, marketed as parental monitoring, and used overwhelmingly by abusers. How it works, how to detect it, and why removal requires a safety plan before anything else.
Private Search Engines Compared: DuckDuckGo, Brave, Kagi, and SearXNG
Search engines build detailed profiles from your queries. Here's an honest comparison of the serious private search options — what they actually protect and where each falls short.
Five Eyes and Your Privacy: What the Intelligence Alliance Actually Means
Five Eyes lets member nations share surveillance data on each other's citizens. Here's what the alliance actually does, how it differs from what marketing claims, and how to reason about it when choosing privacy tools.
Cold Boot Attacks: Why Disk Encryption Doesn't Protect a Running Computer
Full-disk encryption protects powered-off devices — but your keys live in RAM while the computer is running. Cold boot attacks exploit RAM data remanence to extract those keys. Here's how the attack works and what actually mitigates it.
Canary Tokens: How to Know When Your Files Have Been Accessed
Canary tokens are tracked decoys — files, URLs, and credentials that alert you the moment an attacker touches them. They work best precisely when other defenses have already failed.
Device Privacy at Border Crossings: What Agents Can Search and What You Can Do
Border agents in the US, UK, and Canada have broad authority to search your devices without a warrant. Here's what the law actually says and how to prepare before you travel.
CCPA vs GDPR: What Your Data Rights Actually Give You
Both laws claim to put you in control of your personal data. The reality is narrower and more dependent on enforcement than either implies. Here's what you actually have — and what you don't.
Post-Quantum Cryptography: What Happens to Your Encrypted Data When Quantum Arrives
Quantum computers will break RSA and ECC. NIST finalized post-quantum replacement standards in 2024, and Signal, Apple, and Chrome have already started migrating. Here's what's at risk and how the transition works.
The Long War Over Encryption Backdoors: From Clipper Chip to Today
Governments have tried to mandate backdoors in encryption since 1993. Every attempt has failed — not for political reasons, but mathematical ones. The history, and why it keeps repeating.
Secure Communication for Journalists: A Practical Guide to Source Protection
Protecting sources requires more than encrypted apps. Here's the threat model journalists face, the tools that actually help, and the operational mistakes that undermine technical security.
The Problem with Biometrics: You Can't Change Your Fingerprints
Biometrics are convenient — but irrevocable. Here's what that means for device security, legal compulsion by law enforcement, database breaches, and how to use biometrics safely.
DNS Leaks: The Invisible Privacy Hole in Most VPN Setups
Your VPN may be tunneling traffic while DNS queries travel in the clear to your ISP. What DNS leaks are, why they happen on every major OS, and how to actually fix them.
Account Takeover Attacks: How They Work and Why MFA Isn't Always Enough
Credential stuffing, adversary-in-the-middle phishing, session hijacking — account takeover attacks have evolved well past what standard MFA stops. Here's how each works and what actually defends against it.
Which Browser Should You Actually Use for Privacy in 2026?
Firefox, Brave, Tor Browser, Mullvad Browser — each solves a different part of the privacy problem. An honest breakdown of tracker blocking, fingerprint resistance, and network anonymity across all four.
Reproducible Builds: The Only Way to Verify Your Software Wasn't Tampered With
Open source proves reviewed code exists. It doesn't prove the binary you downloaded was compiled from that code. Reproducible builds close the gap — here's how they work and who achieves them.
Which Video Call Apps Are Actually Private?
Zoom, Signal, FaceTime, Element, Jitsi — they all claim privacy, but the details vary enormously. What gets encrypted, who holds the keys, and what metadata persists are questions with very different answers.
End-to-End Encrypted Cloud Storage: What Actually Protects Your Files
Proton Drive, Tresorit, Filen, MEGA — all advertise zero-knowledge encryption. The implementations differ in audits, jurisdictions, key derivation, and sharing models in ways that matter for your threat model.
Side-Channel Attacks: The Threat That Bypasses Encryption
Your encryption can be mathematically perfect and still leak secrets. Timing attacks, cache attacks, and Spectre-class vulnerabilities exploit physical computation rather than algorithmic weaknesses — here's how they work.
WireGuard vs. OpenVPN: A Technical Comparison That Matters for Privacy
WireGuard's lean design and modern cryptography make it faster than OpenVPN — but it stores peer IP addresses in memory by design. An honest comparison of both protocols and the privacy trade-offs involved.
The PGP Web of Trust: Why Key Verification Is Harder Than It Looks
OpenPGP's web of trust was an elegant solution to key authenticity without central authorities. It mostly didn't work — and understanding why reveals what good key verification actually requires.
How to Segment Your Home Network for Privacy and Security
A flat home network lets every device reach every other. VLANs and firewall rules create walls between your work laptop, your IoT devices, and your guests — here's a practical guide to doing it right.
What Happens to Your Encrypted Data When You Die?
Strong encryption is unforgiving — a lost passphrase means the data is gone, permanently. Digital estate planning for security-conscious people requires thinking carefully about the trade-off most privacy guides skip.
Privacy Dark Patterns: How Companies Design Around Your Consent
Cookie banners put "Accept All" in a large colored button and "Reject" in small grey text. That's not an accident. Here's how to recognize the design techniques companies use to collect more data than you'd willingly share.
RCS Encryption: What Google and Apple Aren't Telling You
Both companies claim RCS is encrypted. The reality is more complicated — the encryption is real in some cases, absent in others, and architecturally different from what most people assume.
How Password Managers Actually Protect Your Data
A password manager is the highest-leverage security upgrade most people can make. The LastPass breach revealed what good vault design looks like — and where weaker implementations fall short.
GrapheneOS: The Case for a De-Googled Android
The most rigorously hardened Android fork available — with full app compatibility via sandboxed Google Play. Here's what GrapheneOS actually changes, what it doesn't fix, and who it's right for.
What Your Smart Home Is Logging (And How to Limit It)
Smart speakers, doorbells, thermostats, and TVs are always-on sensors. Here's what data they actually collect, where it goes, and the network-level steps that actually reduce it.
Supply Chain Attacks: When Your Privacy Tool Gets Compromised
The XZ Utils backdoor showed that even carefully audited open-source software can be infiltrated at the build layer. Here's how supply chain attacks work, why privacy tools are high-value targets, and what reproducible builds actually solve.
Location Data Brokers: Your Movement History Is for Sale
Weather apps and coupon apps harvest your GPS coordinates and sell them to brokers who supply advertisers, insurers, and government agencies. Here's the infrastructure and who's buying.
FISA Section 702: The Legal Backdoor Into Your Communications
Section 702 allows US intelligence agencies to collect foreign communications — and then search them for Americans without a warrant. Every major US tech company is subject to it.
Cross-Device Tracking: How Advertisers Link All Your Screens
Your phone, laptop, and smart TV are, to the ad industry, a single identity. Here's the deterministic and probabilistic infrastructure that connects them — and where each defense actually works.
Secure Boot and TPM: What They Protect (and What They Don't)
Secure Boot and TPM chips address the boot integrity threat model and disk theft. They say nothing about what happens after the OS loads. Understanding the perimeter matters.
How Group Encrypted Messaging Actually Works
Secure group chats are a harder engineering problem than 1:1 messaging. Here's how Sender Keys, the Double Ratchet, and MLS each tackle the challenge — and where they fall short.
Traffic Analysis: The Threat That Encryption Can't Stop
Encrypting content protects what you say. Traffic analysis reveals who you talk to, when, how often, and how much — without decrypting a single byte.
Proving You're Allowed In Without Revealing Who You Are
Zero-knowledge proofs let you prove you satisfy a condition without revealing your identity. Here's how anonymous credential systems work and where they're being deployed.
What "Disappearing Messages" Actually Protects (and What It Doesn't)
Every major messaging app offers disappearing messages. The feature is real and useful — but it protects against a narrower set of threats than most users assume.
Your App Permissions Are a Privacy Attack Surface
Every time you tap "Allow," you're extending trust. Over years of installing apps, most users have granted far more access than they recall — to contacts, location, microphone, and more.
The Privacy Skill Nobody Teaches: Building a Personal Threat Model
Picking privacy tools without a threat model is like buying a lock without knowing what you're locking out. The five questions that make your privacy choices coherent — and why overkill is its own risk.
What OSINT Researchers Can Find About You in 30 Minutes
Most privacy violations don't require hacking. Public records, data broker aggregates, and search syntax expose more than most people realize — without accessing a single system they weren't supposed to.
Secure File Sharing: What "End-to-End Encrypted" Actually Means for Files
Where does the file live, who holds the keys, and what metadata survives the transfer? The questions that actually matter when sharing files securely.
What Your ISP Can See — And the Limits of What Can Hide It
Your ISP sits between your devices and everything else. Understanding what they observe, what HTTPS hides, and what actually helps is the starting point for network-level privacy.
Encrypted Backups: How to Protect Your Data Without Trusting the Cloud
A backup that a subpoena or breach can read is a second copy of your most sensitive data in someone else's hands. Here's how client-side encryption changes that equation.
How Messaging Apps Harvest Your Social Graph Through Contact Discovery
When you grant a messaging app access to your contacts, it doesn't just find your friends — it maps who you know. The contact discovery problem, and how Signal's OPRF approach actually solves it.
TOTP, SMS, Hardware Keys, and Passkeys: An Honest 2FA Comparison
Not all two-factor authentication is equal. SMS codes and hardware security keys are both called "2FA" — they are not remotely equivalent. Here's what each actually resists.
Full-Disk Encryption Explained: What LUKS, FileVault, and BitLocker Actually Protect
Full-disk encryption makes a stolen laptop worthless to an attacker — but only when powered off. Here's the precise threat model, the implementation differences, and what it doesn't protect against.
Tor vs. VPN: What They Actually Protect (and What They Don't)
Both are called privacy tools. They solve different problems, have different trust models, and fail in different ways. Understanding the distinction prevents over-reliance in either direction.
What AI Can Infer About You: Machine Learning and the Surveillance Problem
Encryption protects data. Machine learning infers from data. The gap between what was recorded and what can be derived has widened considerably — and changes the calculus of privacy.
Trust On First Use: The Security Gamble Built Into Most Encrypted Apps
TOFU is how Signal, WhatsApp, and most encrypted apps handle key exchange. It protects against passive eavesdropping — but has a narrow, critical weakness at the exact moment keys are first exchanged.
SPF, DKIM, and DMARC: What Email Authentication Actually Does
SMTP has no built-in sender verification — anyone can claim any address. Here's how three layered standards close most of that gap, and what they still can't prevent.
The Surveillance Gap: Why U.S. Communications Law Is Still Stuck in 1986
The law governing government access to your email and cloud data was written before the commercial internet existed. Here's what that means for your data on American servers today.
Apple's iCloud Private Relay: Two-Hop Privacy and Its Limits
Private Relay ensures no single party sees both your identity and your browsing destinations. That's a meaningful property — and a narrower one than the word "relay" sometimes implies.
What Your VPN Actually Protects (And the Long List of What It Doesn't)
A VPN shifts your traffic from your ISP to your VPN provider. That shift is real — but narrower than most VPN marketing implies. A clear-eyed threat model for a tool that's widely misunderstood.
Key Transparency: The Missing Layer That Makes E2E Encryption Trustworthy
End-to-end encryption relies on a key exchange you can't audit — key transparency closes that gap with a tamper-evident log of every key binding, making silent key substitution mathematically detectable.
Warrant Canaries: What They Promise, and Where They've Failed
A warrant canary signals — without saying so — that a service hasn't received a secret government demand. It's a clever legal workaround with real limits. Here's how it works and what a dead canary actually tells you.
Passkeys Explained: Why the Password's Replacement Is Worth Trusting
Passkeys use public-key cryptography to replace passwords entirely. Phishing-resistant by design, no shared secret, no server-side credential to breach. Here's how they actually work.
How to Remove Yourself from Data Broker Databases (And Why It's an Ongoing Job)
Data brokers aggregate and sell your address history, relatives, phone numbers, and more — assembled without your knowledge. Opting out is possible, but it requires a systematic and repeating approach.
DNS-over-HTTPS: What It Actually Protects (and What It Doesn't)
DNS-over-HTTPS encrypts your domain lookups, hiding them from your ISP. But it shifts trust rather than eliminating it, and several common threats it doesn't address are worth understanding clearly.
SIM Swapping: The Attack That Bypasses Every Password You Own
Your password is strong and your two-factor code arrives by SMS. A criminal with a phone and a convincing story can own your accounts in under an hour. Here's how the attack works and what actually stops it.
Browser Fingerprinting: How You're Tracked Without Cookies or Accounts
Privacy mode blocks cookies. It does nothing to stop browser fingerprinting — a stateless technique that identifies your browser configuration with high precision and survives every session you start.
Hardware Keys vs. Authenticator Apps: Which 2FA Actually Protects You?
Both are better than SMS codes. The difference between them — particularly against phishing — separates a 2FA setup that looks strong from one that actually is.
Certificate Pinning: The Mobile Security Layer Most Apps Skip
TLS verifies that your certificate was signed by a trusted CA — not which CA. Certificate pinning fills that gap, and the apps that skip it are more vulnerable to interception than their padlock icon suggests.
GDPR in Practice: What European Privacy Law Actually Protects (and What It Doesn't)
GDPR is the gold standard of privacy regulation and is frequently misunderstood. Here's what the law actually does — and where it was never designed to protect you.
What Happens When a Privacy App Gets Acquired?
WhatsApp, Wickr, Skype — the pattern repeats. A privacy-forward product gets bought by a larger company, and the commitments quietly erode. Here's the history and what it means for your choice of tools.
Forward Secrecy Explained: Why a Data Breach Won't Expose Your Old Messages
Forward secrecy is what makes encrypted messaging resilient to future key compromise. Here's how key ratcheting works and why your message history stays protected even if keys are later exposed.
The Business Model Problem: Why Free Privacy Apps Don't Exist
Every app needs revenue. When that revenue comes from advertisers instead of users, your data is the product. Here's the structural reason free and private are incompatible.
Email Aliases: The Privacy Feature Most People Don't Know Exist
Most people use one email address for everything. That address is your identity, your login, and your breach surface — all in one. Aliases break that dependency.
iCloud Backups Are Breaking Your iMessage Encryption
iMessage is end-to-end encrypted. But if you back up to iCloud, your messages aren't. Here's exactly what Apple can see — and what to do about it.
WhatsApp vs Signal vs Haven: An Honest Comparison
All three apps claim to protect your messages. Here's what actually separates them — phone number requirements, metadata collection, business model, and audit history.
The Best Gmail Alternatives in 2026 (That Actually Protect Your Privacy)
Gmail is free because your email is the product. If you're looking for an alternative in 2026 that doesn't read your mail, here's what actually works.
Telegram Is Not Encrypted. Here's What That Actually Means.
Telegram is widely misunderstood as an encrypted app. Most of it isn't. Here's what's actually happening with your messages.
What End-to-End Encryption Actually Protects (And What It Doesn't)
E2EE is the most cited and least understood concept in security. A precise breakdown of what it protects, what it misses, and what you actually need.
Your Encrypted App Has a Leak. It's Called Metadata.
Encryption protects what you say. It says nothing about when, to whom, how often, or from where — and that pattern reveals more than most people are comfortable admitting.
Encryption Is Not Privacy. Here's the Difference.
Every privacy tool encrypts something. Almost none of them guarantee privacy. Conflating the two is how security theater happens.
Why Email Is Still the Most Important Thing to Encrypt
Signal and Telegram get the headlines. Meanwhile, your unencrypted inbox holds the keys to your entire digital identity.
Building a Complete Privacy Stack in 2026: Email, Chat, and Files
A practical guide to replacing Gmail, iMessage, and Google Drive with genuinely private alternatives — without needing a computer science degree to set it up.
The Honest Case for Leaving ProtonMail in 2026
ProtonMail earned its reputation — but its limitations are showing. Here's what power users switch to, and what to actually look for.
Signal Requires Your Phone Number. That's a Bigger Problem Than You Think.
Signal's cryptography is excellent. The weak link isn't the encryption — it's the identity model.
Zero-Knowledge Email: What It Means, What It Doesn't
"Zero knowledge" is the most abused term in privacy marketing. Here's what it actually requires cryptographically.
MLS: The Encryption Protocol Designed to Fix Group Chat
RFC 9420 introduces Messaging Layer Security — a standardized protocol that solves group encryption's biggest problems.