Peter, I'm lucky to have called you a friend. This happened to suddenly and quickly, I'm reeling. You were magic.
He exuded love and charm. He would be overjoyed to see me and give the best hugs whenever we ran into each other. He is this super accomplished person but that was never the conversation. I've known him for years and it's only now that I discover his LetsEncrypt involvement. It speaks volumes to him, he was so focused on everyone around him and filled with love for them, never self-promoting, just loving and being amazing. He would give the best hugs, and few seconds longer than most, and you could hear him smiling while he does so. Thank you Peter
Thank you for this. Captures my feelings perfectly as well. You're right about those hugs, hah! I don't think I ever even noticed before, looking back on memories that are now a decade old. Never self-promoting indeed!
> Peter has also cofounded or [co]-created many impactful privacy and cybersecurity projects, including Let's Encrypt, Certbot, Privacy Badger, HTTPS Everywhere, Panopticlick;
> Peter's AI policy work has mostly been on setting sound policies around high-stakes machine learning applications such as recidivism prediction, self-driving vehicles, cybersecurity, and military uses of AI. He also has an interest in measuring progress in the field as a whole. His technical projects have included SafeLife, a benchmark environment for reinforcement learning safety; studying the need and role for uncertainty in ethical objectives of powerful optimising systems, and evaluating calibration and overconfidence in large language models.
What utterly valuable work. I did not know of his existence til now, but I remember when I first used LetsEncrypt to get a cert for my website. It was so much easier than it had been before, and it was free.
I had always thought that LetsEncrypt, PrivacyBadger and HTTPS Everywhere somehow "felt"… similar. And now I learn that the same person had been behind them. What a sad day.
Getting certificates used to be annoying and cost money, so many, many websites just didn't bother. It used to be only bigger websites with multiple webmasters/ops people/developers supported https.
I don't have numbers to support this, but I think Letsencrypt and its related initiatives had an extremely significant impact on the amount of web traffic that is encrypted, resulting in a hugely safer and more secure experience for users and organizations around the world.
It would be a lovely gesture if Let's Encrypt added a special field to their issued certificates in honour of Peter's memory, much like many web servers around the globe send the "X-Clacks-Overhead: GNU Terry Pratchett" HTTP header.
I thought of the same idea myself, but (as someone who worked on Let's Encrypt with Peter) I don't think Let's Encrypt would be willing to make this choice for all of its subscribers, and I think Peter himself would place a higher priority on web sites getting encrypted than on the web sites paying tribute to him (and increasing the network traffic associated with a TLS handshake might provide a slight disincentive for some sites).
I wrote 10-15k rulesets for https-everywhere, starting when he was the maintainer. It was his generous understanding that got me from stupid to addicted, and I enjoyed our personal conversations going forward.
He asked to meet up, but it would have been at least a hundred miles to wherever he was speaking at the time. I regretted not putting the effort in - as well as being curious, kind, and understanding, he had the kind of systematizing mind that "sync"s so easily that he could almost instantly know what you're talking about and have a conversation about anything substantive. I regret losing touch.
I don't know what else to say. Shocked, saddened. I'm sure he'll be remembered for his contributions, more than most of us could ever hope for. Godspeed.
I met Peter at NIPS, and knew of him though the burning man tribe called Phage. In our brief encounter he took the time to listen, he seemed humble and free, like he was living his best life and true to himself. Sad to hear of his death, he made the world a better place.
He was a tutor in one of the CS subjects I took at Uni of Melb (I think it was Computer Graphics? not sure now). He was just way too smart - one of those true computer scientists. He spoke well, he was detailed and thorough. Wish his family all the best.
Peter was an amazing friend who advised my startup hcaptcha on its privacy policy and was incredibly useful for coming up with practical solutions to hard problems. I’m pretty sure he also advised openai on some of the smarter things he did. On the same day peter died they told me they were giving up on curing my father’s cancer . Fuck cancer
Sad to say I had never heard of Peter, I'm a younger guy and only been in the industry for a couple of years. What an incredible legacy. Hope he passed in peace and comfort. RIP
Let's Encrypt is something we all came to take for granted very quickly, but lots of us remember when getting an SSL certificate was an expensive and tedious process. Deprecating a billion dollar industry overnight and providing better security for internet users everywhere is a hell of a legacy to leave behind, and I hope one that will be an inspiration for generations to come.
I remember doing validation calls with Verisign in Switzerland to get an “extended validation” certificate for a customer. It felt like applying for a passport. We had to fax them stuff too IIRC.
Now I issue 100 certificates per day fully automated for customers using Caddy and LE.
I do not recall having to get EV certs for PCI. Our auditors were always fine with the Geotrust/Digicert DV certs. Is this part of the 4.x spec? Can you link to the requirement for EV certs?
Not really, but a large number of auditors (not sure if it's "most" but it's still surprisingly many) do insist on EV for some reason (and as you point out, it's not even mandated in the spec itself, at least the current ones). The insurance aspect, well it depends, our lawyers said that "insurance" on EV products (by DigiCert and Globalsign at least) are simply legalese garbage but I can remember a broad-spectrum cyberinsurer insisting on EV certs. Oh well, it's ultimately their territory, not ours.
Edit: thanks for reminding me that PCI-DSS 4.0 is now released - but it only states that you must securely deliver sensitive information over open networks (including internet) and explicilty bans all SSL versions and TLS lower than 1.2, which is the same as 3.2.1. It even references a NIST document which shows methods for automatic cert issuance featuring Certbot (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...).
For what it's worth and given there is risk in doing this, but one can work with their contacts at the payment processor to manually pin certs on both sides. There is operational risk and both sides have to be vigilant with monitoring and communication but that can be an even better assurance of transport security in some fringe PCI cases. I recall two of the major processors were open to this. No idea if they still are. I just would not put it in the internal official documented PCI or SOC1/2 controls or one would be stuck doing this. Could be useful as due diligence if legal are that nervous about the PCI environment. Maybe just documented in a JIRA or internal ticketing system.
> That industry value would have surely multiplied
Nope. The industry warning and devaluing unencrypted connections was enabled by low cost configuration and zero cost issuance.
There is almost no chance that browser vendors would have proceeded with "deprecation" of unencrypted HTTP traffic without free issuers; the response from businesses would have been overwhelmingly negative.
I went to high school with Peter - he was a warm, bright, inspiring friend. Although we lost contact in the early uni years, I credit the interest we shared in programming and problem solving with my career in computer science and have followed him and his considerable achievements from afar.
My thoughts go out to his family too, who I found to be as warm, welcoming and as intellectually curious as Pete.
This is horrible. pde was the person who asked me to get involved with Let's Encrypt, and introduced me to many of the people that I've worked with the past several years at both the EFF and ISRG.
The downvotes and flags were correct. You took the thread on a classic generic flamewar tangent. The guidelines specifically ask you not to do that: "Eschew flamebait. Avoid unrelated controversies and generic tangents." - https://news.ycombinator.com/newsguidelines.html.
Then you broke them again ("Did you know the mRNA shots") and again ("Pfizer tried to hide their clinical data") and again ("Downvotes are [etc.]") and again ("you're so reactive emotionally"), and so on, pouring fuel on the fire and taking the thread extremely offtopic. All that is obviously against the rules and amounts to vandalism.
We've been asking you to follow the site guidelines for years now:
In fact I'm finding it hard to find a recent comment by your account that isn't political battle, breaking the site guidelines, or (most often) both.
You're way into bannable territory. I'm not going to ban you right now, but if you keep this up we're going to have to. HN is trying to be a specific type of website. You're not just using it against the intended spirit, you're contributing to destroying it. We can't allow that, so please stop doing it.
You also deleted some comments around then, which presumably were even worse.
The main difference between your account and the GP, though, is that you were breaking the site guidelines within a day or two of creating your account. The threshold for banning is lower in that case, since such accounts are far more likely to be trolls (and often serial trolls). That, plus spam, are the cases when we use shadowbanning.
The GP account, by contrast, has been around for over a decade. In such cases, yes, we prefer to give warnings before banning. I think most users would consider that reasonable.
The same deal applies to you as to other banned accounts though: if you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
You’re being downvoted because his death wasn’t for “unknown reasons,” at least not that broadly. He was diagnosed with cancer, and he had pre operation complications that resulted in death. Surgery is complicated, bodies are complicated, it unfortunately happens. Starting conspiracy theories off the backs of a well liked, and imo amazing person, is unpopular.
This is wildly inappropriate comment to make on a notice of his passing. Would you spit out all this jibber jabber at a funeral? Please show more respect.
As someone who also lost the vaccine injury/side effect lottery:
There is a time and a place for this kind of discussion. That time is not now and that place is probably not on HN, or at the very least not on a thread mourning someone's death. You are breaking many site guidelines here; at the very least conducting ideological tirades and then editing your posts to complain about downvotes and insulting those who disagree with you. Any legitimate point you might be making is entirely undermined by the insensitive context you to decided to start this conversation in.
He exuded love and charm. He would be overjoyed to see me and give the best hugs whenever we ran into each other. He is this super accomplished person but that was never the conversation. I've known him for years and it's only now that I discover his LetsEncrypt involvement. It speaks volumes to him, he was so focused on everyone around him and filled with love for them, never self-promoting, just loving and being amazing. He would give the best hugs, and few seconds longer than most, and you could hear him smiling while he does so. Thank you Peter