cryptography

They call me the content machine. I write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.

Click the selectors in the Content pane to filter the content.


July 13, 2017 tags:  SSL-TLS cryptography

How Quantum Computing will Change Browser Encryption

After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.


March 29, 2017 tags:  SSL-TLS cryptography security-week

US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

My response, representing the vendor community, to US-CERT's warning about SSL interception products.


March 1, 2017 tags:  SSL-TLS cryptography security-week

Encryption Smackdown: PlayStation 4 vs. XBox One!

Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.


Jan. 27, 2017 tags:  SSL-TLS cryptography

The 2016 TLS Telemetry Report

Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.


Jan. 4, 2017 tags:  SSL-TLS cryptography ddos

David Holmes Greatest Hits 2016 Edition

I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.


Sept. 28, 2016 tags:  SSL-TLS cryptography infosec security-week

I Got 99 Problems, But SWEET32 Isn't One

In this piece, yours truly evaluates the SWEET32 cryptographic attack relative to other SSL cryptographic attacks such as DROWN and BEAST.


Sept. 16, 2016 tags:  SSL-TLS cryptography security-week

You Can't Find What You're Not Looking For Because of Goat Parkour

We commissioned the analyst firm IDC to do an encryption survey. They asked questions that I always wanted to know the answer to. So what does that have to do with goat parkour? Read on and find out.


Aug. 24, 2016 tags:  SSL-TLS cryptography

SSL Orchestration: Making outbound SSL inspection faster and more resilient

David Holmes clarifies how the SSL Orchestrator makes outbound SSL faster and more resilient


Aug. 17, 2016 tags:  cryptography infosec hackers security-week

Dispatches from DEFCON 24

I've been coming to this hacker con since Defcon 7. So that's 17 years! DC24 was a good one, with some interesting talks. Here's a recap I did for SecurityWeek.


Aug. 12, 2016 tags:  SSL-TLS cryptography in-the-news

Microsoft Disables RC4 for Edge and IE

SecurityWeek reported that Microsoft disabled the RC4 cipher in Edge and Internet Explorer 11, and referenced David Holmes’ byline column from last year about the simplicity of RC4 being its greatest appeal.


Aug. 8, 2016 tags:  cryptography infosec hackers security-week

Dispatches from Blackhat USA 2016

Here's a recap I did for SecurityWeek of some of the more interesting talks at the 2016 Black Hat security conference.


Aug. 1, 2016 tags:  SSL-TLS cryptography infosec hackers

IDC Survey - The Blind State of Rising SSL Traffic

F5 commissioned the analyst firm IDC to survey hundreds of infosec professionals. The goal was to find out exactly how much enterprise traffic is encrypted. Their answers? Between 25-50% in 2016. That's a lot! Read the survey to find out how infosec is dealing with all the encrypted traffic, and the malware that hides within.


July 11, 2016 tags:  SSL-TLS cryptography

New Elliptic Curve X25519 Trips Up ProxySG

Here's a more technical version of my article that came out of a customer visit to Oslo. This has to do with Dan Bernstein's elliptic curve 25519, and how its unexpected deployment threw off a competitor's inspection.


July 6, 2016 tags:  SSL-TLS cryptography

SSL Outbound Visibility Lightboard Lesson

You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.


June 29, 2016 tags:  SSL-TLS cryptography infosec security-week

New X25519 Cipher Throws Enterprise Surveillance for a Loop

I heard about this problem with a customer in Oslo, Norway. It has to do with an advance in cryptography throwing surveillance devices into darkness.


June 2, 2016 tags:  SSL-TLS cryptography in-the-news

CSO Australia - Redefining the Application security perimeter

This year's high-profile battle of wills between Apple and the US Federal Bureau of Investigation (FBI), which sparked worldwide discussions about the propriety of security 'back doors', was eventually resolved when the FBI found another…”We're seeing more and more Internet traffic encrypted over time, particularly after Edward Snowden came out and told everyone that people are watching them,” David Holmes, worldwide security evangelist with F5 Networks, recently told CSO Australia…


June 2, 2016 tags:  cryptography travel infosec hackers security-week

Cyber Espionage Report: APT at RUAG

I get lucky sometimes. This was one of those times. I ran into a member of CERT.be, and he told me of an interesting report about a cyberespinage case in Europe. Made for a great SecurityWeek article.


May 17, 2016 tags:  SSL-TLS cryptography in-the-news infosec

Google to Soon Kill SSLv3, RC4 Support in Gmail

A SecurityWeek article quotes me about SSLv3 and RC4.


May 16, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.1

It took me 23 hours to write this! But people LOVED IT. Continuing my tradition of the top security features of each F5 BIG-IP release.


April 13, 2016 tags:  SSL-TLS cryptography infosec security-week

Is Multi-Cloud the Ultimate Use Case for the Zero Trust Model?

During my last visit to Australia, I talked with some customers who were running into some fascinating problems trying to secure multiple components across different public clouds. Wrote it up for SecurityWeek.


March 23, 2016 tags:  SSL-TLS cryptography infosec security-week

Is DROWN a 'Hello Kitty' SSL Vulnerability?

Should you panic about the DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data? This piece I did for SecurityWeek builds upon the "Stack Ranking SSL Vulnerabilities" article I'd written the year before.


March 18, 2016 tags:  SSL-TLS cryptography in-the-news infosec

95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking

SecurityWeek quotes me about strict transport security.


Feb. 4, 2016 tags:  SSL-TLS cryptography infosec security-week

Let's Encrypt's Public Beta--Panacea or Placebo?

I know it sounds like I pick on Let's Encrypt, the free, open CA. And I guess I do kinda. Not in a mean way, because what they are doing is pretty freaking cool. But in a skeptical way, because so often the road to hell is paved with good intentions. On the other hand, there are altruistic endeavors that I would have said would never work, like Wikipedia, and um, well that's about it. Anyway, this piece is a more measured look at the early public stages of Let's Encrypt.


Jan. 27, 2016 tags:  SSL-TLS cryptography in-the-news infosec

Firefox 44 Drops RC4, Gets Push Notifications

SecurityWeek article quotes me about my favorite algorithm of all time, RC4.


Jan. 25, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.0

Another of the famous top ten lists for F5. Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and selected the best, just for you. Remember, these are the hardcore security doodads, of interest to network operators, security engineers and the paranoid.


Jan. 11, 2016 tags:  SSL-TLS cryptography ddos infosec

David Holmes Greatest Hits, 2015 Edition

Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.


Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.


Dec. 8, 2015 tags:  SSL-TLS cryptography infosec

Implementing Light-Weight East-West Firewalls with F5

East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have.


Nov. 30, 2015 tags:  cryptography in-the-news infosec

Predictable SSH Host Key Flaw Affects Raspberry Pi Devices

SecurityWeek article quotes me about entropy.


Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.


Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.


Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.


Sept. 15, 2015 tags:  SSL-TLS cryptography

Preparing your F5 for new TLS requirements in Apple iOS 9 and OS X 10.11

Here's one that came right from the field - we knew that iOS9 was coming, and was going to include changes for cryptography. Here's my write-up of what knobs everyone was going to have to turn to be compatible.


Sept. 15, 2015 tags:  SSL-TLS cryptography infosec

How much of my traffic is still SSLv3?

When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%. Here's an article that shows you how to tell how much of your traffic is still SSLv3.


Sept. 1, 2015 tags:  SSL-TLS cryptography infosec

The SSL Recommended Practices Guide

Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.


July 30, 2015 tags:  SSL-TLS cryptography infosec security-week

Stack Ranking SSL Vulnerabilities for the Enterprise

Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.


June 15, 2015 tags:  SSL-TLS cryptography travel in-the-news

Polish TV: Hackers and Banks and Stuff

Banki coraz cz??ciej atakowane przez hakerów

Ataki na banki zdarzaj? si? wsz?dzie. Banki na ca?ym ?wiecie s? zaniepokojone hakerami i kradzie?? pieni?dzy.

Here's a 3 minute interview with yours truly in Warsaw, Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.


June 13, 2015 tags:  SSL-TLS cryptography infosec

Remediating Logjam: an iRule Countermeasure

An in-depth piece about the SSL Logjam vulnerability. How vulnerable are you, and here's how to mitigate it if you are.


June 13, 2015 tags:  SSL-TLS cryptography

Remediating Logjam: an iRule Countermeasure

LOGJAM was an exploit against SSL published in 2015. Here's me picking it apart and showing how to mitigate it with F5. I wrote this in a hotel room in Glasgow. Can't remember why I was there. Just killing time between engagements I think.


May 6, 2015 tags:  SSL-TLS cryptography

BIG-IP SSL Cipher History

A tiny blog explaining this awesome graphic.


April 23, 2015 tags:  SSL-TLS cryptography

RSA2015 – SSL Everywhere

This was a great interview, got lots of coverage. Good chemistry between myself and the awesome Pete Silva. F5 Worldwide Security Evangelist, David Holmes, talks about why the internet is going SSL Everywhere. He explains why there’s been a surge in encrypted traffic and reveals some interesting statistics from his ongoing research on the SSL protocol. Always an engaging guest, David takes us through Forward Secrecy, Strict Transport Security and SSL v3. What they solve and how they are being used in the wild.


April 10, 2015 tags:  SSL-TLS cryptography infosec

Generational Whitehat Deficit will drive Silverline WAF

F5 launched a new web application firewall (WAF) in the cloud service. Here's my take on why it will succeed.


Feb. 17, 2015 tags:  SSL-TLS cryptography security-week

Why "Let's Encrypt" Won't Make the Internet More Trustworthy

I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.


Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.


Feb. 10, 2015 tags:  SSL-TLS cryptography hackers security-week

Was SSL3 killed by a POODLE? Surveys says…Maybe!

I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.


Feb. 9, 2015 tags:  SSL-TLS cryptography infosec

Why You Should Tap the Hardware Random Number Generator (RNG) in your BIG-IP

This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!


Jan. 9, 2015 tags:  SSL-TLS cryptography infosec

2014: The Year of the Infrastructure Vulnerability?

An article I did for DataCenterKnowledge. A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece. License for the xkcd image: https://xkcd.com/license.html


Dec. 18, 2014 tags:  SSL-TLS cryptography travel infosec security-week

The Virtual Currency Taking Over the World isn’t the One You Think

Here's an article where I compare Bitcoin (and other blockchain fintech) to another virtual currency, the one promoted and used by tens of millions in Africa: m-pesa.


Dec. 2, 2014 tags:  SSL-TLS cryptography infosec security-week

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

I still get questions about this SecurityWeek piece, which is good because I'm quite proud of this one. It's a look at three different systems that tried to patch one of the nagging security "holes" in the Internet and why they all failed.


Nov. 6, 2014 tags:  cryptography travel infosec security-week

When Encryption isn't Enough

"The giraffe was probably dead." LOL that is the best line I've ever used to start an article. This SecurityWeek piece about Twitter security came out of a trip I did to Africa.


Nov. 3, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.6

Here's where the Top Ten really started to get funky. Check out the mood music while you read this. It's David Holmes.


May 17, 2014 tags:  SSL-TLS cryptography infosec hackers

Mitigating sslsqueeze and other no-crypto, brute force SSL handshake attacks

This is almost top secret stuff. I probably shouldn't even be writing about it, but other's have, so if someone were to weaponize this, well I can't be held responsible. And at least I provided a defense.


April 30, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.5.0

This is the one that started it all! Okay so that means it was the worst, and yeah I hadn't figured out to do the top ten in reverse order yet.


April 14, 2014 tags:  SSL-TLS cryptography

Heartbleed: Network Scanning, iRule Countermeasures

My technical piece about the Heartbleed vulnerability. Also includes my own rant about OpenSSL. And how to scan your own network for it. And other cool stuff related to it.


Feb. 21, 2014 tags:  cryptography hackers

Malware Analysis Report: Cridex Cross-device Online Banking Trojan

The malware analysis team at F5 put together a great report on the Dridex malware. Here is me summarizes and mansplaining it.


Dec. 12, 2013 tags:  cryptography hackers

True DDoS Stories: Nine Steps to DDoS Yourself

“Is it possible to quantify your own security posture as it relates to denial-of-service? “ That’s the question a customer of ours has been asking themselves, and they came up with plan to measure exactly that. They’re going to DDoS their own production systems. And here's how they're going to do it.


Nov. 25, 2013 tags:  cryptography hackers

True DDoS Stories: Black Friday DDoS Cupcakes

The famous US patriot hacker, Th3J35t3r, posted his recipe for holiday cupcakes. I made them but it turned out they were full of malware.


Jan. 30, 2013 tags:  SSL-TLS cryptography

DevCentral Video Podcast - 20130130

Here's an old DevCentral video podcast featuring yours truly! Talking about security stuff of course


Jan. 27, 2012 tags:  SSL-TLS cryptography ddos infosec

The New Datacenter Firewall Paradigm

Written in 2012, this was a new way to think about Data Center Firewalls. Written with the amazing Lori MacVittie.


May 16, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS iRule - Updates

Here's an update to the SSL Renegotiation DoS article. This iRule is tighter and more performant, if that's even a word.


May 3, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS Attack - an iRule Countermeasure

This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.