I'm David Llewellyn-Jones and this is my homepage. I'm a researcher in computer security who's also interested in programming and graphics. You might be interested in my research, my software or my random musings.

Want to know more about me? Here's a personality sketch written by a psychologist when I was in school.

“David is of high intelligence, although lacking in true creativity. He has a need for order and clarity, and for neat and tidy systems in which every detail finds its appropriate place. His writing is rather dull and mechanical, occasionally enlivened by somewhat corny puns and by flashes of imagination of the sci-fi type. He has a strong drive for competence. He seems to have little feel and little sympathy for other people and does not enjoy interacting with others. Self-centered, he nonetheless has a deep moral sense.”

Wow. Harsh. But disturbingly accurate.

Control panel:
Site style Disable animation Full width

RSS feed Constantia server Cambridge University Deviant Art Shapeways LinkedIn Twitter Launchpad SourceForge GitLab GitHub PGP Public Key Email




11 Apr 2017 : Explicit delegation using configurable cookies #
A preprint of my paper published with Graeme Jenkinson and Frank Stajano, discussing how configurable Web cookies can be used for account delegation, is now up on my publications page. The paper should appear in a Springer LNCS volume in due course.
8 Mar 2017 : Come develop code with us on the Pico project #
At Pico we're looking for an exceptional programmer, ideally with iOS/macOS experience, to help us rid the world of passwords. If you're interested to join an amazing team at the University of Cambridge, check out the details on the job site. Closing date is 18th April.
4 Mar 2017 : Departing StartCom 1st Feb, arriving Let's Encrypt 4th March #
My thirty day journey moving from StartCom to Let's Encrypt is finally over. My home server at is now secured using a Let's-Encrypt-signed certificate, and from what I can tell, it seems to be working great. StartCom may or may not have served me well (free certificate signing: good; issuing backdated SHA-1 certs: bad), but allowing webmasters access to signed certs for TLS at minimal cost is really important in my view. It's by far the best way to improve security on the Web right now. I'm glad Let's Encrypt has picked up the mantle (and given me a free certificate!).
1 Feb 2017 : My certificates have been revoked! #
I discovered yesterday that Mozilla have revoked the StartCom root certificate in Firefox. How did I discover this? After an update to Firefox 51 I find my own website now fails to load, giving a certificate error instead. Admittedly StartCom's service is free, but it would have been nice to be warned by someone.
So while I've enjoyed StartCom's service for many years, it looks like I'll be moving to Let's Encrypt. Which would be fine if I hadn't put certificate pinning on my site, which will prevents the new cert from being accepted for 30 days. I guess that's what happens if you try to be too cocky with security on a budget!
9 Dec 2016 : Cracking PwdHash #
The paper Graham Rymer and I wrote for Passwords 2016 on Cracking PwdHash is now available on my publications page. Check out the blog post about it for a bit more details.