1-day current streak·16-day longest streak
I’m a cryptography engineer and open source maintainer, specializing in Go. From 2018 to 2022, I worked on the Go team at Google, where I was in charge of the…
I’m a cryptography engineer and open source maintainer, specializing in Go.
From 2018 to 2022, I worked on the Go team at Google, where I was in charge of the Go Security team. I implemented TLS 1.3 support in the Go standard library; co-designed the Go Checksum Database, a seamless solution for securing the Go software supply chain with transparency trees; and with my team was responsible for developing features such as native fuzzing and the Go Vulnerability Database, as well as handling vulnerability reports.
Before that, I was at Cloudflare, where I maintained the proprietary Go authoritative DNS server which powers 10% of the Internet, and led the DNSSEC and TLS 1.3 implementations.
Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.
I also develop and maintain a set of cryptographic tools, including the file encryption tool age, the development certificate generator mkcert, and the SSH agent yubikey-agent.
Professional maintenance
Open-source software, despite being shared critical infrastructure, is maintained by volunteers or by full-time company employees. Neither is a sustainable model, the former for obvious reasons, and the latter because available resources at a single company do not scale with the size and success of the project, leading whole teams to burnout and churn.
I am testing a new model: professional independent full-time maintainers, who bill companies as contractors, providing ongoing maintenance and access to their expertise and to the project’s decision-making process.
I envision open source maintainer as a first-class profession, with independent maintainers organized in personal practices or small and medium-sized firms, earning compensation comparable to what senior software engineers are paid. I want maintainers to be empowered to keep doing what they do best, and be available as a resource to the companies that fund them.
I believe the best way to precipitate this change is to prove the model myself, and I plan to build the missing tools (legal contracts, best practices, professional associations…) and grow the model by example and by employing others.
None of this, both my open source work and establishing this model, would be possible without my clients, who've been forward-thinking enough to invest in something new.
!Eight logos in a grid: Sigsum, Smallstep, Ava Labs, Teleport, Tailscale, Sentry
-
mkcert ★ PINNED
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
Go ★ 59k 1y agoExplain → -
age ★ PINNED
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
Go ★ 23k 3mo agoExplain → -
Heartbleed ★ PINNED
A checker (site and tool) for CVE-2014-0160
Go ★ 2.4k 5y agoExplain → -
whoami.filippo.io ★ PINNED
A ssh server that knows who you are. $ ssh whoami.filippo.io
Go ★ 2.4k 2mo agoExplain → -
yubikey-agent ★ PINNED
yubikey-agent is a seamless ssh-agent for YubiKeys.
Go ★ 2.9k 2y agoExplain → -
sunlight ★ PINNED
A Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.
Go ★ 297 1d agoExplain → -
passage
A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend.
Shell ★ 1.2k 1y agoExplain → -
gvt ▣
gvt was a minimal go vendoring tool, based on gb-vendor. Today, you want to use modules instead.
Go ★ 724 7y agoExplain → -
homebrew-musl-cross
Homebrew Formula for static-friendly musl-based GCC macOS-to-Linux cross-compilers
Ruby ★ 663 5mo agoExplain → -
awesome-age
A collection of projects and resources in the age file encryption ecosystem.
★ 593 22d agoExplain → -
captive-browser
A dedicated Chrome instance to log into captive portals without messing with DNS settings.
Go ★ 480 3y agoExplain → -
typage
A TypeScript implementation of the age file encryption format, available as an npm package or as a bundled .js file.
TypeScript ★ 453 6mo agoExplain → -
mostly-harmless
A bag of various unrelated projects with varying levels of serviceability and destructiveness.
JavaScript ★ 317 1d agoExplain → -
CVE-2016-2107
Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)
Go ★ 193 7y agoExplain → -
mlkem768
A Go implementation of the quantum-resistant key encapsulation method ML-KEM (formerly known as Kyber).
Go ★ 188 4mo agoExplain → -
edwards25519
filippo.io/edwards25519 — A safer, faster, and more powerful low-level edwards25519 Go implementation.
Go ★ 186 4mo agoExplain → -
vendorcheck ▣
Check that all your Go dependencies are properly vendored
Go ★ 177 5y agoExplain → -
ed25519-dalek-rustgo ▣
Wrapper for curve25519-dalek using rustgo, a technique to directly call Rust code from Go programs with near-zero overhead, meant to replace manually written assembly.
Go ★ 127 8y agoExplain → -
tracetools ▣
Tools to process Go trace logs into various profiles. Complement for "go tool trace".
Go ★ 109 9y agoExplain → -
zcash-mini ▣
A minimal portable Zcash z-address generator for offline / paper wallets
Go ★ 97 4y agoExplain → -
BERserk ▣
A Go implementation of the BERserk attack against Mozilla NSS ASN.1 parsing of PKCS#1 RSA signatures with e = 3. Complete of a certificate generation tool, works with CAs in the trust store.
Go ★ 95 11y agoExplain → -
hstools
Library and tools to interact with and analyze Tor HSDirs.
Go ★ 72 10y agoExplain → -
homebrew-gomod
A brew command to cleanly install binaries from Go modules.
Shell ★ 68 5y agoExplain → -
ecc-vs-lattices-long-bet
A long bet between Matthew Green and Filippo Valsorda on what will break first: ML-KEM-768 or X25519. You can join! Money goes to charity.
★ 66 3mo agoExplain → -
blockchainr
Exploiting ECDSA Failures in the Bitcoin Blockchain
Go ★ 63 11y agoExplain → -
intermediates
Package filippo.io/intermediates embeds a bundle of known unexpired, unrevoked intermediate certificates chaining to roots in the Mozilla Root Program
Go ★ 61 2d agoExplain → -
openbsd-fde-crack
Some code to bruteforce OpenBSD softraid encrypted drives - NOT A READY-TO-USE TOOL
Go ★ 58 10y agoExplain → -
travis-cron ▣
This web app allows you to trigger Travis CI builds periodically
Python ★ 55 11y agoExplain → -
gorebuild ▣
Extract the import path of Go binaries and rebuild them. No more stale GOROOT.
Go ★ 54 5y agoExplain → -
nistec
NIST P elliptic curves (re-exported from crypto/internal/nistec)
Go ★ 53 8mo agoExplain → -
bsky-backup-template
Template repository for setting up a new ATProto repository backup using GitHub Actions.
Shell ★ 50 7mo agoExplain → -
csrf
No description.
Go ★ 48 11mo agoExplain → -
otherport
LD_PRELOAD hack to redirect connections to other ports
C ★ 43 10y agoExplain → -
powersoftau ▣
An independent implementation of the Powers of Tau MPC ceremony.
Go ★ 34 8y agoExplain → -
youtube-dl ⑂
Small command-line program to download videos from YouTube.com and other video sites
Python ★ 32 10y agoExplain → -
torchwood
A collection of open source tlog tooling.
Go ★ 30 4d agoExplain → -
cpace
An EXPERIMENTAL Go implementation of the CPace PAKE, instantiated with the ristretto255 group.
Go ★ 29 5y agoExplain → -
HNTitles ▣
Tweet probabilistically generated HN post titles.
Python ★ 29 3y agoExplain → -
keygen
Deterministic key generation for Go.
Go ★ 25 18d agoExplain → -
xaes256gcm
Package xaes256gcm implements the XAES-256-GCM extended-nonce AEAD.
Go ★ 22 1y agoExplain → -
alum
A forwarding mail server inspired by @alum.mit.edu
Go ★ 20 10y agoExplain → -
hpke
No description.
Go ★ 19 7mo agoExplain → -
FiloSottile
No description.
★ 19 6mo agoExplain → -
bigmod
A constant-time library for big integers modulo a prime, usable for cryptographic applications. Exported from crypto/internal/bigmod, the backend of crypto/rsa and crypto/ecdsa.
Go ★ 16 6mo agoExplain → -
axel ▣
Axel Download Accelerator [git mirror]
C ★ 15 13y agoExplain → -
b2
Efficient, idiomatic Go library for Backblaze B2 Cloud Storage.
Go ★ 14 7y agoExplain → -
nest_thermostat ⑂
Python API and command line tool for talking to the Nest™ Thermostat
Python ★ 14 12y agoExplain → -
crypto.py
A collection of pure Python crypto implementations. All modules are standalone. Available in Python 2 and Python 3 flavors!
Python ★ 10 13y agoExplain → -
mldsa-py
Pure-Python ML-DSA (FIPS 204) signature verification. Python 3.8+, zero dependencies, public domain, single file, 400 lines.
Python ★ 9 3mo agoExplain → -
rage ⑂
A simple, secure and modern encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.
★ 8 2y agoExplain → -
mldsa
No description.
Go ★ 7 2d agoExplain → -
blog.filippo.io
blog.filippo.io theme. Slightly tweaked 0.9.4 Casper. Pretty please, don't just clone it <3
CSS ★ 7 1y agoExplain → -
go ⑂
Go fork with personal experimental branches—probably nothing works. Not kidding.
Go ★ 7 1y agoExplain → -
chunked
No description.
Go ★ 6 3mo agoExplain → -
certificate-transparency-go ⑂
Auditing for TLS certificates (Go code)
Go ★ 6 1y agoExplain → -
Pendolo-OpenCV ▣
No description.
C++ ★ 6 14y agoExplain → -
Griffith ▣
Media collection manager [MIRROR]
Python ★ 5 14y agoExplain → -
dnscrypt-proxy ⑂
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
★ 4 6y agoExplain → -
age-plugin-tpm ⑂
:key: TPM 2.0 plugin for age
Go ★ 4 2y agoExplain → -
bsky-backup
@filippo.abyssdomain.expert
Shell ★ 3 1d agoExplain → -
compress ⑂
Optimized Go Compression Packages
★ 3 10mo agoExplain → -
rxtls ⑂
rxtls is a hyper-optimized, per-core Certificate Transparency (CT) log processor built for one purpose: to extract and process 100,000+ X.509 certificates per second from the global CT ecosystem with zero GC, zero blocking, and total CPU saturation.
★ 3 11mo agoExplain → -
scure-base ⑂
Secure, audited & 0-deps implementation of bech32, base64, base32, base16 & base58
★ 3 2y agoExplain → -
homebrew-lite
Modified homebrew-core formula with fewer dependencies.
Ruby ★ 3 3y agoExplain → -
goversion ⑂
Print version used to build Go executables
Go ★ 3 5y agoExplain → -
github-actions-golang ⑂
GitHub Actions as CI for Go
★ 2 5y agoExplain → -
mux ⑂
Package gorilla/mux is a powerful HTTP router and URL matcher for building Go web servers with 🦍
★ 2 2y agoExplain → -
dnscontrol ⑂
Synchronize your DNS to multiple providers from a simple DSL
★ 2 2y agoExplain → -
codesearchguide.org ⑂
Everything you ever wanted to know about code search. (WIP, will be online soon!)
★ 2 5mo agoExplain → -
.github
No description.
★ 2 2y agoExplain → -
tailscale ⑂
The easiest, most secure way to use WireGuard and 2FA.
★ 2 4y agoExplain → -
torspec
Forked from git.torproject.org/torspec.git
Python ★ 2 8y agoExplain → -
libsodium-doc ⑂
Gitbook documentation for libsodium
★ 2 5y agoExplain → -
certificate-transparency ⑂
Auditing for TLS certificates.
C++ ★ 2 9y agoExplain → -
scrape-cmvp-mip
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list
HTML ★ 1 1d agoExplain → -
openssl ⑂
TLS/SSL and crypto library
★ 1 2y agoExplain → -
armory-boot ⑂
USB armory - boot loader
Go ★ 1 5mo agoExplain → -
homebrew-core ⑂
🍻 Default formulae for the missing package manager for macOS (or Linux)
Ruby ★ 1 3y agoExplain → -
draft-irtf-cfrg-hybrid-kems ⑂
Hybrid PQ/T Key Encapsulation Mechanisms
★ 1 7mo agoExplain → -
webtest ⑂
External copy of golang.org/x/website/internal/webtest
Go ★ 1 1y agoExplain → -
hpke-pq ⑂
Post-Quantum Algorithms for HPKE
★ 1 10mo agoExplain → -
disk-spinner ⑂
A burn-in tool for spinning rust HDDs
Rust ★ 1 1y agoExplain → -
ctail ⑂
Tail Certificate Transparency logs and extract hostnames
★ 1 11mo agoExplain → -
tls-tris ⑂
crypto/tls, now with 100% more 1.3. Archival fork as of August 2017.
Go ★ 1 8y agoExplain → -
boringssl ⑂
Mirror of BoringSSL
C ★ 1 1y agoExplain → -
tkey-ssh-agent ⑂
SSH Agent for TKey, the flexible open hardware/software USB security key 🔑
Go ★ 1 2y agoExplain → -
mint ⑂
A Minimal TLS 1.3 Implementation in Go
Go ★ 1 9y agoExplain → -
linux_ebooks ⑂
Commenting is hard.
Python ★ 1 12y agoExplain → -
filosottile.github.io ▣
An empty repository for redirecting filosottile.github.io to filippo.io (https://github.com/FiloSottile/filippo.io).
★ 1 7y agoExplain → -
crochet ⑂ ▣
Build FreeBSD images for RaspberryPi, BeagleBone, PandaBoard, and others.
Shell ★ 1 5y agoExplain → -
libsodium.js ⑂
libsodium compiled to Webassembly and pure JavaScript, with convenient wrappers.
HTML ★ 1 5y agoExplain → -
netviel ⑂
Web interface for the notmuch e-mail system
Python ★ 1 6y agoExplain → -
hs-airdrop ⑂
Decentralized airdrop to open source developers
★ 1 5y agoExplain → -
homebrew-age
No description.
★ 1 5y agoExplain → -
beancount-import ⑂
Web UI for semi-automatically importing external data into beancount
★ 1 5y agoExplain → -
controller-runtime ⑂
Repo for the controller-runtime subproject of kubebuilder (sig-apimachinery)
★ 1 5y agoExplain → -
star-battle-puzzle-party ⑂
No description.
★ 1 5y agoExplain → -
WPA-hazard
Deep into the default WPA generation algorithms
C ★ 1 14y agoExplain → -
hs-api-playground
Playground for the Hacker School API
Python ★ 1 11y agoExplain → -
dns ⑂
DNS library in Go
Go ★ 1 10y agoExplain → -
crypto-tls-bogo-shim
A shim to test Go crypto/tls with the BoringSSL test suite. Which is based on crypto/tls. So meta.
Go ★ 1 8y agoExplain → -
tamago-example ⑂
TamaGo - example application
Go ★ 0 17d agoExplain → -
rsc-cmd ⑂
No description.
Go ★ 0 1mo agoExplain → -
tamago ⑂
TamaGo - bare metal Go
Go ★ 0 5mo agoExplain → -
armory-ums ⑂
USB armory - Mass Storage firmware
Go ★ 0 5mo agoExplain → -
noble-post-quantum ⑂
Auditable & minimal JS implementation of public-key post-quantum cryptography
★ 0 6mo agoExplain → -
draft-irtf-cfrg-concrete-hybrid-kems ⑂
No description.
Rust ★ 0 8mo agoExplain → -
crlite ⑂
WebPKI-level Certificate Revocation via Multi-Level Bloom Filter Cascade
Go ★ 0 11mo agoExplain → -
CaliExportGpxer ⑂
Convert Calimoto data export (as provided by Calimoto support) into GPX files.
Go ★ 0 1y agoExplain → -
browser-compat-data ⑂
This repository contains compatibility data for Web technologies as displayed on MDN
★ 0 1y agoExplain → -
tldr.fail ⑂
Site for tldr.fail
★ 0 1y agoExplain → -
explore ⑂
Community-curated topic and collection pages on GitHub
★ 0 2y agoExplain → -
benchdiff ⑂
No description.
Go ★ 0 2y agoExplain → -
witness ⑂
Libraries and binaries for running witnesses for verifiable logs
★ 0 2y agoExplain → -
unsafe-assume-no-moving-gc ⑂
No description.
★ 0 3y agoExplain → -
hellogopher ⑂ ▣
Hellogopher: "just clone and make" your conventional Go project. Archival fork as of August 2017.
Makefile ★ 0 9y agoExplain → -
GoOracle ⑂ ▣
GoOracle is a Golang plugin for SublimeText that integrates the Go oracle tool.
Python ★ 0 11y agoExplain → -
PyScribe ⑂ ▣
A Python library to make debugging with print statements simpler and more effective.
Python ★ 0 11y agoExplain → -
sqlite ⑂
Go SQLite3 driver
★ 0 4y agoExplain → -
xmpp-client ⑂
An XMPP client with OTR support
★ 0 11y agoExplain → -
jq ⑂
Command-line JSON processor
C ★ 0 12y agoExplain → -
Ruzzola
Multi-language cheater for the Ruzzle(tm) game in CoffeeScript using Bloom filters
CoffeeScript ★ 0 13y agoExplain → -
gb ⑂
gb, the project based build tool for Go
Go ★ 0 10y agoExplain → -
go-libp2p-conn ⑂
A package for libp2p connections
Go ★ 0 8y agoExplain → -
go-libp2p-peer ⑂
PKI based identities for use in go-libp2p
Go ★ 0 8y agoExplain → -
dns-dnsop-black-lies
ID for "Compact DNSSEC Denial of Existence or Black Lies"
Makefile ★ 0 10y agoExplain → -
camlistore ⑂
Camlistore fork running on my personal machines. Usually just one or two patches ahead.
Go ★ 0 9y agoExplain →
No repos match these filters.