Mozilla proposes PACT (Private Access Control Tokens), a new web standard to replace CAPTCHAs and invasive bot-detection with privacy-preserving rate limiting. The system uses three roles: Anchors (entities that vouch for users via scarce signals like subscriptions or phone numbers), Moderators (rate-limit enforcers), and Credentials (stateful cryptographic tokens). Built on Privacy Pass and Anonymous Credit Tokens, PACT uses issuer blinding and zero-knowledge proofs so sites only learn whether a user is within a rate limit — nothing more. Unlike Google's Web Environment Integrity or Apple's Private Access Tokens, PACT avoids tying web access to specific hardware vendors. Mozilla plans to bring draft specs to IETF and W3C, with Cloudflare and Chrome already involved.
Nguồn: https://hacks.mozilla.org/2026/06/pact-anonymous-credentials-for-the-web. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
A ten-year retrospective crawl of the Tranco Top 1 Million websites measuring web security adoption as of June 2026. Key findings: HTTPS redirects now cover 658,038 sites (up from 62,043 in 2015), CSP has grown 12,360% over the decade but nearly half of all policies still contain unsafe-inline or unsafe-eval. HSTS is on 252,846 sites but only 21% are preload-eligible. Referrer-Policy tripled since 2022. New metrics this year include cookie security attributes, DMARC/SPF records, and cross-origin isolation headers (COOP/COEP). Cloudflare fronts over a third of responding sites, heavily skewing aggregate metrics. Over half the web still scores an F on security headers, though the F count dropped by ~124,000 since 2022. Part two will cover TLS, certificate lifetimes, and post-quantum cryptography.