BLACK HAT USA 2018 – Las Vegas – Parisa Tabriz, director of engineering at Google, today shared the story of how the company made the switch to enforce HTTPS in Chrome, as well as lessons she learned in collaboration, management, and perseverance over the course of the multiyear project.
As Black Hat founder Jeff Moss put it in his introduction, there are "maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resiliency for all of us."
Google is one of them. "Anything Google does that is an improvement essentially impacts us all," Moss added. Recently, for example, the company reached the end of a years-long initiative to label HTTP websites as "not secure" in an effort to push Web developers to embrace HTTPS encryption. The change went into effect last month with the release of Chrome 68; now HTTP sites display an alert to visitors.
The change wasn’t an easy one, as conference attendees learned today during Tabriz's keynote. She began her talk by detailing what she believes are the key steps to success in information security, and then weaved these points into the story of how HTTPS enforcement went from bold idea to reality.
Tabriz's first – and foremost – point: "Identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes."
She pointed to Project Zero, a team of Google security analysts tasked with finding zero-day bugs. The group was created in 2014 to hunt vulnerabilities in operating systems, browsers, antivirus software, and other tech. Its goal is to better understand offensive security as a means of understanding exploitation against defenders and ultimately lead to structural improvement and better security, Tabriz explained.
Her second point: "We have to be more intentional in how we improve long-arc defensive projects."
Staying motivated to see an effort through over a long period of time, as certain projects can take years depending on their scale, is crucial. As part of this, Tabriz emphasized the importance of identifying milestones, working toward those milestones, and celebrating progress along the way.
Her third point: build a coalition of champions and supporters outside security so the team's efforts are successful. "There's an understanding we're generally working on similar goals," she said, adding that the cost of building exploits against high-profile targets has increased due to the efforts of people working together to address root causes of bad security.
Enforcing HTTPS: Idea to Implementation
Tabriz's ideas are evident in the story of Google's move to enforce HTTPS on the Chrome browser.
"We wanted to make the risk of unencrypted traffic more comprehensible and also more consistent," she explained. The team had a clear vision of what that state should look like but knew it would take many years to achieve it. After all, the Web isn't an entity owned by any one person or institution, she noted, and they had to navigate an "ecosystem of constraints and incentives" – including industry organizations and browsers with different standards, proprietary ideas, and technology – in the process.
"To make a change like this it had to be gradual, and it had to be very intentional," Tabriz said. The process began back in 2014 with brainstorming how to change the browser's user interface, and continued in 2015 with a public UI proposal. Going public with the idea led to support and sentiment from the broader infosec community, which helped convince Chrome leadership this was worth pursuing.
Over the course of the project, Tabriz emphasizes the importance of celebrating milestones to keep up morale. The team created stickers of icons from their UI designs, for example, when those were finalized.
Tabriz also pointed to the myriad ways in which their work could have failed to demonstrate lessons learned. Management could have killed the project, for example, when the timeline turned out to be years longer than anticipated. Because the team was able to regularly articulate progress and demonstrate positive impact in terms of overall code health, they were never told to discontinue the project. When the benefits aren't immediately clear, it's important to get people invested in the project's success.
The HTTPS push also could have failed without broader support from Google's leadership and external parties. The team worked with several Web standards groups to communicate the change, she explained, and the ability to kill progress could have come from outside the company.
"We rely on everyone working in technology to clear the path for a safer future," Tabriz said.