The cutting edge of cryptographic comms for distributed systems

iOS 14 and macOS Sequoia 15 introduces a new privacy feature: randomised MAC addresses for Wi-Fi networks. Hence, if you're still relying on MAC Address Filtering or SSID Hiding to secure your enterprise Wi-Fi network, it's time to rethink your strategy.

With phishing attacks on the rise, passwords are no longer a reliable method for granting infrastructure access or authenticating users. It is time to adopt authentication methods that don't rely on shared secrets.

We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

Internal PKI continues to be essential but struggles with modern practices. But don't worry, there is hope.

We're excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

We've added X.509 certificate templates to Step Certificates

step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.

With today's release (v0.13.0), you can now use ACME to get certificates from step-ca. ACME (RFC8555) is the protocol that Let's Encrypt uses to automate certificate management for websites. ACME radically simplifies the deployment of TLS and HTTPS by letting you obtain certificates automatically, without human interaction.

Automating internet security with the Let’s Encrypt certificate authority has led to the massive acceleration of safe web browsing. As we roll out ACME protocol support and give away some free hoodies, we want to thank Let’s Encrypt and the IETF for making it all possible.

This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.

Great Minds Really Do Think Alike! I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts.

In this post, we will explore how successful public internet practices provide a set of instructions for how the industry should be thinking about securing internal systems. The second edition of the Modern Security for Leaders series.

smallstep’s vision is centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!

Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.

Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who''ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It''s universal and vendor-neutral yet poorly documented. This is the missing manual.

This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.

A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity