SSLreminder blog

Evolving threats: attacks in the TLS era

Thu, 12 Feb 2026 04:47:00 +0000

With encryption nearly everywhere, attackers have adjusted their playbook. Below are the threat trends that show up most often around TLS − and what they mean for people running TLS at scale.

1) Phishing with HTTPS is now the default

Phishers figured out years ago that they can get valid TLS certificates cheaply (or free) for look-alike domains. So the padlock tells you “this connection is encrypted”, not “this site is trustworthy”. Recent reporting puts HTTPS usage on phishing sites at roughly three-quarters or more.

A look at TLS and Internet security in early 2026

Mon, 05 Jan 2026 12:21:34 +0000

At the start of 2026, TLS (often still called “SSL”) – is essentially the default for web traffic. Encryption is now expected for websites: in the U.S., about 98% of all internet traffic is sent over HTTPS, and globally around 88–95% of web traffic is encrypted.

This ubiquity of TLS has greatly improved confidentiality and integrity online, but it hasn’t made security a solved problem. The TLS ecosystem is actively evolving to address new challenges. This short report highlights key developments and practical insights for IT professionals managing TLS certificates and infrastructure.

Using SSLreminder via API is easy

Mon, 27 Oct 2025 10:33:21 +0000

Prefer curl (or code) over clicking around? Our Account API makes it straightforward to add, list, and remove monitored domains. And there’s a free, no-auth certificate checker for quick lookups.

Quick start

Grab your API token from your SSLreminder account (paid plans). Use it as a Bearer token in the Authorization header.
Ping the health endpoint (no auth needed):

curl https://api.sslreminder.pro/healthy
# → {"status":"Healthy"}

Core endpoints (with curl)

Add a domain

Device-bound session credentials: Google's next move against cookie theft

Sun, 19 Oct 2025 10:17:27 +0000

Google is rolling out Device-Bound Session Credentials (DBSC) to limit session hijacking by binding a session to the device that created it. Instead of relying on a stealable bearer cookie alone, Chrome generates a per-session public/private keypair and stores the private key in secure hardware (on Windows, the TPM where available).

Servers can periodically challenge the client to prove it still holds that device-locked key, making exfiltrated cookies useless on other machines.

Let’s Encrypt ends expiration emails − Here’s how to stay notified

Thu, 01 May 2025 19:13:01 +0000

Let’s Encrypt has announced that it will discontinue its expiration notification emails starting June 4, 2025. This change is driven by several factors:

The widespread adoption of automated certificate renewal processes among users.
A commitment to enhancing user privacy by reducing the retention of email addresses linked to certificate issuance.
The desire to allocate resources more efficiently, as maintaining the notification system incurs significant costs.

Monitor more than websites: SSL Certificate checks for IMAP and other services

Fri, 25 Apr 2025 06:22:28 +0000

Did you know SSLreminder isn’t just for websites? Your mail server, API endpoints, and many other services also rely on valid SSL/TLS certificates. Letting these certificates expire can disrupt critical business operations and compromise security.

Example: Monitoring IMAP SSL certificates

To monitor your IMAP server’s SSL certificate with SSLreminder:

Log into your SSLreminder account.
Click on “Add new”, enter a new domain name, and save it
Click “Edit” and specify the custom port number, in this case 993 (IMAPS).
Save your check and relax − SSLreminder takes care of the rest!

Configuring a custom port for IMAP SSL monitoring in SSLreminder

You’ll receive timely notifications before the certificate expires, giving you peace of mind and continuity of service.

SSL/TLS world in 2025: April check-in

Sun, 20 Apr 2025 10:08:38 +0000

The secure‑web stack has evolved more over the past two years than in the previous five. Here’s a quick mid‑2025 update covering the most significant shifts: from protocol updates to certificate automation.

1. TLS 1.3 is now the standard

93% of Cloudflare’s connections are now using TLS 1.3, a huge increase from less than 1% in 2018. This seven‑year‑old spec has become the baseline for browsers and CDNs.
Major players like Chrome, Firefox, and Cloudflare have brought back Encrypted Client Hello (ECH) after a few bumps in 2023, helping hide the Server Name Indication for better HTTPS privacy.

2. Post‑quantum security makes its entrance

Cloudflare’s data shows that about 2% of all TLS 1.3 handshakes now use a hybrid Kyber + X25519 key exchange. Expect adoption to hit double digits by year‑end as the draft RFCs settle.
With NIST finalizing its first round of post‑quantum cryptography standards this spring, browsers are gearing up to accept new post‑quantum ciphersuites without the need for a brand‑new “TLS 1.4”.

3. Streamlined automation in the ACME ecosystem

Let’s Encrypt is keeping things innovative:

Apple to limit ADP availability in the UK

Wed, 05 Mar 2025 02:23:27 +0000

Apple has recently decided to stop offering Advanced Data Protection (ADP) to new users in the United Kingdom. While the company has not explicitly stated the reason for this change, it reaffirmed its stance on encryption, saying: “We have never built a backdoor or master key to any of our products or services and we never will.”

A possible factor in this decision is the UK’s Investigatory Powers Act (IPA) of 2016, which gives the government the authority to request access to encrypted data. According to a recent Washington Post report, Apple was asked to enable access to ADP-encrypted data for UK users globally. Rather than modifying its security approach, Apple has opted to limit ADP’s availability in the UK.

OSCP to go away soon

Thu, 27 Feb 2025 20:38:29 +0000

In a recent Feisty Duck newsletter post titled “The slow death of OCSP” the author explains why the Online Certificate Status Protocol (OCSP) is gradually losing significance in the SSL/TLS ecosystem. It is interesting to understand what’s next for the protocol and have a quick look at how it came to be in the first place many years ago.

Originally conceived to provide real-time certificate revocation information, OCSP has been hampered by performance bottlenecks, occasional inaccuracies, and soft-fail browser implementations. In short, if an OCSP server is unreachable, most browsers proceed without a valid response, which leaves the door open for potential security gaps. As users, we never know when we’re protected and when we’re not.

Account API is now live! 🥳

Fri, 13 Sep 2024 10:33:43 +0000

We’re thrilled to announce that the SSLreminder account API is now live and available to all paid customers!

After an exciting pre-release phase with a select group of testers, we’ve fine-tuned the endpoints to ensure they meet the needs of our users. The API allows you to automate domain management, making it easier to keep track of your SSL/TLS certificates, integrate seamlessly with your existing tools, and streamline domain management operations.

Introducing our new account API (pre-release)

Fri, 09 Aug 2024 09:25:50 +0000

We’re excited to announce the launch of a new feature that many of our customers have been asking for—our Account API is here and currently in pre-release testing!

We’ve rolled it out to a select group of customers who requested it specifically, and they’re helping us fine-tune its functionality. Once the testing phase is complete, API access will be available to all customers on a paid plan.

Customer Emails feature released

Sat, 02 Sep 2023 09:21:02 +0000

Following multiple requests, we’re happy to release a new feature called “Customer Emails”. It will be most beneficial to SSLreminder account owners who manage domain names on behalf of their customers.

The Customer Emails feature allows you to assign a customer email address to a tracked domain name so that the notification is also delivered to your customer. Let’s see how this works in practice below.

The PQC Migration Handbook

Mon, 15 May 2023 05:48:11 +0000

The Dutch National Communications Security Agency and several other participants have released the PQC Migration Handbook. This handbook provides actionable steps for organizations to identify and mitigate the risks of quantum computers to their cryptographic landscape.

With the increasing development of quantum computers, many cryptographic schemes currently in use will become weakened or completely insecure. The handbook explains the importance of identifying and migrating to post-quantum cryptography (PQC) to ensure the security of sensitive data and prevent unauthorized access.

RPKI in Dutch government routing by the end of 2024

Mon, 08 May 2023 05:27:18 +0000

By the end of 2024, all Dutch government ICT systems must use the RPKI standard to improve the government’s internet routing security. This also means that RPKI must not only be used for new purchases but should also be implemented in all existing government systems. The Government-wide Policy Consultation on Digital Government (OBDO) established this objective on March 30th as part of a target agreement.

Google to phase out the address bad padlock icon in Chrome

Thu, 04 May 2023 10:32:12 +0000

Google plans to replace the padlock icon indicating website security in Chrome with a “tune” icon in September 2023 as part of a browser redesign. Google’s research found that only 11% of participants understood the intended purpose of the lock icon.

The new icon better represents control menus and encourages users to click through to access more information about their security and connection settings. Over 95% of Chrome webpages loaded on Windows now use HTTPS, making it the default connection. The new icon will continue to mark plaintext HTTP as insecure on all platforms.

Open letter to the British government from online messengers

Sun, 30 Apr 2023 12:09:41 +0000

The EU’s proposed “chat control” legislation and the UK’s Online Safety Bill are both under the pretext of child protection. Still, they also enable full-scale surveillance of chat communication without probable cause.

That is why seven messenger applications (Element, Session, Signal, Threema, Viber, WhatsApp, and Wire) published an open letter in opposition to the UK’s Online Safety Bill currently in the House of Lords.

Chrome downgrades long-running requests from HTTPS to HTTP (bug)

Thu, 28 Apr 2022 20:59:39 +0000

Interesting bug was discovered in Chrome, describing the behaviour of the browser downgrading long-running requests from HTTPS to HTTP after 3 seconds of waiting for a response.

Chrome is cancelling the first request after 3s, then requests the same URL again, this time via HTTP, instead of the original HTTPS.

Chrome downgrading HTTPS to HTTP

Here are the steps to reproduce this issue:

Introducing Digest Email

Tue, 18 Jan 2022 17:47:01 +0000

New notification mode

In January 2022, we have released a new notification mode. It comes as an addition to our standard daily emails (one email per domain name) and weekly Slack digests.

Once enabled, the Digest email mode replaces daily individual emails, compiling together expiration information for all domain names under your account.

Here’s how to enable Digest emails:

Navigate to the Notification preferences menu in your account
In the Digest email section, select “Digest email” and click on “Update notification preferences”

Digest email in Notification preferences

Give it a try

It is possible to receive a Digest email before deciding whether to switch to this notification mode.

Let's Encrypt Root Certificate Expiration

Wed, 12 May 2021 08:20:28 +0000

On September 30, 2021, the older root certificate of Let’s Encrypt will expire (the DST Root CA X3).

Here’s what happens after that date:

Older devices that do not receive software updates will not trust the certificates from Let’s Encrypt anymore (for example, iPhone 4). This is because such devices will not have the new root certificate installed with software updates (the ISRG Root X1)
Modern devices already contain the new certificate, ISRG Root X1, in their list of root certificates. No further action is required.

For more information on this topic, see the original update from Let’s Encrypt here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Time to eliminate obsolete TLS protocol configurations – NSA

Mon, 01 Feb 2021 23:02:40 +0000

The National Security Agency (NSA) recommends replacing obsolete protocol configurations with ones that utilise strong encryption and authentication to protect sensitive information. Over time, new attacks against Transport Layer Security (TLS) and the algorithms it uses have been discovered. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.

NSA recommends that only TLS 1.2 or TLS 1.3 be used;
and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 should not be used

HTTPS-only mode in Firefox 83

Sun, 13 Dec 2020 14:30:41 +0000

In November, Mozilla introduced the HTTPS-only Mode, a brand-new security feature available in Firefox 83.

Here’s what happens when you enable HTTPS-only Mode:

Firefox attempts to establish fully secure connections to every website (even for the http:// addresses), and
Firefox asks for your permission before connecting to a website that doesn’t support secure connections.

More information available on the official blog of Mozilla.

Our New Homepage

Wed, 21 Oct 2020 19:21:02 +0000

At some point we have realised that our, then-current, homepage was far from optimal. It didn’t provide enough of clear, well-structured information about what is it that SSLreminder is doing.

We decided to change that.

Prototyping in progress

Since we don’t have a full-blown team of front-end engineers and UI/UX designers, all the thinking, prototyping and implementation was done by our techies. (Spoiler: they did quite a good job over there, feel free to check it out here)

Digicert to Deprecate the OU Field

Sun, 27 Sep 2020 12:30:23 +0000

Why is the OU field being removed?

Oftentimes confusing, the OU field is intended to keep the information about Organizational Unit that the certificate is issued for. This field is mostly optional and there is no generally accepted validation rules for it.

To reduce confusion around this field and improve validation times, Digicert is going to remove it from future ordering processes.

Google Chrome Will Limit SSL/TLS Certificates to 1 Year of Validity

Mon, 15 Jun 2020 22:21:04 +0200

On the 10th of June a CA/Browser Forum representative informed through Twitter that as of September 1 2020 Google Chrome will start limiting SSL/TLS certificates validity period to 398 days, or a bit over 1 year.

So what exactly does this change mean for a website owner or administrator? Since the maximum certificate validity will be cut in about half, the chance to miss extension date will simply become twice as big.

Why Do You Need SSL

Sun, 17 May 2020 14:43:19 +0200

Welcome back to our blog. Today we are going to find out why do we actually need SSL and what is the benefit of having it enabled.

There are 2 protocol groups that provide secure communication over the Internet - SSL and TLS. For the sake of simplicity we are going to call them “SSL” as a group, but we actually mean both, so read it as “SSL/TLS”. Sometimes SSL is also called HTTPS, which is a different thing, but again for our discussion does not matter much.

Current State of SSL/TLS Support

Thu, 07 May 2020 04:45:48 +0200

Welcome back to the SSLreminder blog. Today we’re looking at the current state of the SSL ecosystem with regards to TLS (SSL) protocol support by modern websites.

In order to get the data we have turned to SSL Pulse, a monitoring tool by SSL Labs. It is a continuous and global dashboard for monitoring the quality of SSL/TLS support over time across 150,000 SSL- and TLS-enabled, most popular websites in the world.

Maximum SSL Certificate Validity

Mon, 04 May 2020 07:10:24 +0200

In short, maximum SSL certificate validity period is 2.2 years (in 2020). See below for more details.

By voting for Ballot 193, the CA/Browser Forum group have reduced the maximum lifetime for SSL certificates to 825 days or about 2.2 years.

Here’s an excerpt from the ballot:

Subscriber Certificates issued after March 1, 2018 MUST have a Validity Period no greater than 825 days.