EFF 的「Transport-Layer Encryption vs End-to-End Encryption - GIF」這篇文章介紹了 Transport-Layer Encryption 與 End-to-End Encryption 的差異，最後還給了一張 GIF 說明：
其實 GIF 給的範例還蠻清楚的，在 Transport-Layer Encryption 中服務提供商可以看到原始內容 (以 GIF 內提到的例子就是 Google)，而在 End-to-End Encryption 中就不行，只有傳輸雙方可以知道原始內容。
然後文章裡也提到了 Tor Messenger，可以吃現有的通訊軟體，然後在上面疊出 End-to-End Encryption。
Uber 在倫敦將會被停業：「Uber has license to operate in London revoked」、「London regulator announces Uber ban」、「Uber London loses licence to operate」。
更精確的說是不再續發 license，舊的 license 只到 9/30：
Transport for London (TfL), which operates public transport in the capital, has made the decision not to renew the app-based taxi’s license in the city.
The license was renewed in May, but for a period of only five months. It will run out on 30th September, though the company will be allowed to continue to operate during the appeal process.
看起來主要原因是圍繞於 Greyball (利用演算法躲避執法人員的工具)：
According to the TfL regulatory board, the ‘approach and conduct’ of Uber showed a lack of corporate responsibility, which could have resulted in public safety and security issues. It also raised concerns with the company’s ‘approach to explaining the use of Greyball, software that could be used to block regulatory bodies from gaining full access to the app.’
新任 CEO 則是出來道歉：「Uber CEO apologizes for “mistakes” in London」。
SMTP MTA Strict Transport Security 算是 SMTP STARTTLS 裡的 HSTS 機制，而 Google 的人在 RSA Conference 上提出要開始用了：「SMTP STS Coming Soon to Gmail, Other Webmail Providers」。
Elie Bursztein, the head of Google’s anti-abuse research team, said at RSA Conference that SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.
補上去後對於 SMTP 的隱私保護就會更好了...
在「Our secret’s out.」這邊看到 VanMoof (腳踏車生意) 對於托運公司每次都把腳踏車給弄壞的解決方法 XDDD
Earlier this year our co-founder Ties had a flash of genius. Our boxes are about the same size as a (really really reaaaally massive) flatscreen television. Flatscreen televisions always arrive in perfect condition. What if we just printed a flatscreen television on the side of our boxes?
And just like that, shipping damage to our bikes dropped by 70–80%.
We were hoping to keep this small tweak quiet, but thanks to Twitter, the secret’s out.
Just don’t tell FedEx.
Stripe 在宣佈要淘汰 TLS 1.0 與 TLS 1.1 的計畫公告中 (「Upgrading to SHA-2 and TLS 1.2」) 提到了：
Why SHA-1, TLS 1.0 and 1.1 are insecure
但在文章裡面還是沒有提到為什麼 TLS 1.1 不安全。
在維基百科的「Transport Layer Security」條目中試著找內容，發現應該是 Data integrity 這段，TLS 1.1 不支援 HMAC-SHA256/384 與 AEAD，只支援比較弱的 HMAC-MD5 或是 HMAC-SHA1。
看到「sniffly」這個工具，可以利用 HSTS 資訊檢測逛過哪些網站，程式碼在「diracdeltas/sniffly」這邊可以找到：
Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.
測試網站則可以在這邊看到，作者拿 Alexa 上的資料網站來掃，所以熱門網站應該都會被放進去...
主要是利用 HSTS + CSP policy 的 timing attack (有逛過網站而瀏覽器裡有 HSTS 時的 redirect 會比較快，沒有逛過的時候會因為有網路連線而比較慢)：
Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.
由於這個技巧，HTTPS Everywhere 必須關閉才會比較準確。
還是在 Zite 上看到的，對最大的一百萬個網站分析與安全有關的 HTTP Header：「Security Headers on the Top 1,000,000 Websites: November 2013 Report」。
數字大致上都有增加，不過對我來說的重點在於有列出所有與安全有關的 HTTP Header...
剛好可以拿來 review 設定...