With the publication of Messaging Layer Security (MLS) as an RFC, I’ve been pulled into some recent discussion about bringing end-to-end encryption (E2EE) to the web. This is a topic that comes up every so often and has weirdly haunted me throughout my career. (I spent my undergrad and graduate research years working on cryptography implementations in Javascript and how to use them in applications.)| Emily M. Stark
I’ve noticed that there’s a common misconception that Certificate Transparency is a replacement for HTTP public key pinning. If those words make no sense to you: HTTP public key pinning was a now-mostly-defunct mechanism whereby websites could “pin” themselves to a set of public keys, so that browsers would not accept a certificate for that website’s hostname unless one of those pinned public keys appeared in its certificate chain. Certificate Transparency is a system whereby certif...| Emily M. Stark
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be upgraded to HTTPS.| MDN Web Docs
Signed Exchanges allow websites to sign web content in the way that the content can be safely redistributed and verified where it was originally from.| Chrome for Developers