No more confusion. HTTP/3 is the coming new HTTP version that uses QUIC for transport!
不過這代表 HTTP/3 需要
Mozilla 這邊的計畫是 2020 年三月移除：
In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1.
Google 這邊的計畫則是 Chrome 81 移除，換算成時間會從 2020 年一月開始影響到 canary channel，到 release channel 應該跟 Firefox 差不多時間：
In line with these industry standards, Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72. Sites using these versions will begin to see deprecation warnings in the DevTools console in that release. TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020.
雖然這是講瀏覽器端的支援，但如果伺服器想要只支援 TLS 1.2+ 的話，就得考慮一下舊 client 支援的情況了。
桌機影響會比較小 (升級比較方便，替代方案也比較多)，而行動平台看起來需要 Android 4.4+、iOS 7+，就要看各網站或是服務的族群了...
TXT record 設定，這點通常會配合 DNSSEC 確保 DNS 的查詢沒有被改。
第二種是透過 HTTPS 在某個特定的 host (
mta-sts) 取得 policy 檔案。像是對
example.com 的資料會從 https://mta-sts.example.com/.well-known/mta-sts.txt 取得。
第三種是透過 HTTPS 的 certificate 裡面帶
不只有 DNS 可以設定，使得整個架構變得有點複雜...
EFF 的「Transport-Layer Encryption vs End-to-End Encryption - GIF」這篇文章介紹了 Transport-Layer Encryption 與 End-to-End Encryption 的差異，最後還給了一張 GIF 說明：
其實 GIF 給的範例還蠻清楚的，在 Transport-Layer Encryption 中服務提供商可以看到原始內容 (以 GIF 內提到的例子就是 Google)，而在 End-to-End Encryption 中就不行，只有傳輸雙方可以知道原始內容。
然後文章裡也提到了 Tor Messenger，可以吃現有的通訊軟體，然後在上面疊出 End-to-End Encryption。
更精確的說是不再續發 license，舊的 license 只到 9/30：
Transport for London (TfL), which operates public transport in the capital, has made the decision not to renew the app-based taxi’s license in the city.
The license was renewed in May, but for a period of only five months. It will run out on 30th September, though the company will be allowed to continue to operate during the appeal process.
看起來主要原因是圍繞於 Greyball (利用演算法躲避執法人員的工具)：
According to the TfL regulatory board, the ‘approach and conduct’ of Uber showed a lack of corporate responsibility, which could have resulted in public safety and security issues. It also raised concerns with the company’s ‘approach to explaining the use of Greyball, software that could be used to block regulatory bodies from gaining full access to the app.’
新任 CEO 則是出來道歉：「Uber CEO apologizes for “mistakes” in London」。
Elie Bursztein, the head of Google’s anti-abuse research team, said at RSA Conference that SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.
補上去後對於 SMTP 的隱私保護就會更好了...
— Jason Gay (@jasongay) September 4, 2016
Earlier this year our co-founder Ties had a flash of genius. Our boxes are about the same size as a (really really reaaaally massive) flatscreen television. Flatscreen televisions always arrive in perfect condition. What if we just printed a flatscreen television on the side of our boxes?
And just like that, shipping damage to our bikes dropped by 70–80%.
We were hoping to keep this small tweak quiet, but thanks to Twitter, the secret’s out.
Just don’t tell FedEx.
Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.
主要是利用 HSTS + CSP policy 的 timing attack (有逛過網站而瀏覽器裡有 HSTS 時的 redirect 會比較快，沒有逛過的時候會因為有網路連線而比較慢)：
Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.
由於這個技巧，HTTPS Everywhere 必須關閉才會比較準確。
還是在 Zite 上看到的，對最大的一百萬個網站分析與安全有關的 HTTP Header：「Security Headers on the Top 1,000,000 Websites: November 2013 Report」。
數字大致上都有增加，不過對我來說的重點在於有列出所有與安全有關的 HTTP Header...
剛好可以拿來 review 設定...