Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push

Google engineering director Parisa Tabriz took the Black Hat keynote stage to detail the Chrome transition and share advice with security pros.

BLACK HAT USA 2018 – Las Vegas – Parisa Tabriz, director of engineering at Google, today shared the story of how the company made the switch to enforce HTTPS in Chrome, as well as lessons she learned in collaboration, management, and perseverance over the course of the multiyear project.

As Black Hat founder Jeff Moss put it in his introduction, there are "maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resiliency for all of us."

Google is one of them. "Anything Google does that is an improvement essentially impacts us all," Moss added. Recently, for example, the company reached the end of a years-long initiative to label HTTP websites as "not secure" in an effort to push Web developers to embrace HTTPS encryption. The change went into effect last month with the release of Chrome 68; now HTTP sites display an alert to visitors.

The change wasn’t an easy one, as conference attendees learned today during Tabriz's keynote. She began her talk by detailing what she believes are the key steps to success in information security, and then weaved these points into the story of how HTTPS enforcement went from bold idea to reality.

Tabriz's first – and foremost – point: "Identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes."

She pointed to Project Zero, a team of Google security analysts tasked with finding zero-day bugs. The group was created in 2014 to hunt vulnerabilities in operating systems, browsers, antivirus software, and other tech. Its goal is to better understand offensive security as a means of understanding exploitation against defenders and ultimately lead to structural improvement and better security, Tabriz explained.

Her second point: "We have to be more intentional in how we improve long-arc defensive projects."

Staying motivated to see an effort through over a long period of time, as certain projects can take years depending on their scale, is crucial. As part of this, Tabriz emphasized the importance of identifying milestones, working toward those milestones, and celebrating progress along the way. 

Her third point: build a coalition of champions and supporters outside security so the team's efforts are successful. "There's an understanding we're generally working on similar goals," she said, adding that the cost of building exploits against high-profile targets has increased due to the efforts of people working together to address root causes of bad security.

Enforcing HTTPS: Idea to Implementation
Tabriz's ideas are evident in the story of Google's move to enforce HTTPS on the Chrome browser. 

"We wanted to make the risk of unencrypted traffic more comprehensible and also more consistent," she explained. The team had a clear vision of what that state should look like but knew it would take many years to achieve it. After all, the Web isn't an entity owned by any one person or institution, she noted, and they had to navigate an "ecosystem of constraints and incentives" – including industry organizations and browsers with different standards, proprietary ideas, and technology – in the process.

"To make a change like this it had to be gradual, and it had to be very intentional," Tabriz said. The process began back in 2014 with brainstorming how to change the browser's user interface, and continued in 2015 with a public UI proposal. Going public with the idea led to support and sentiment from the broader infosec community, which helped convince Chrome leadership this was worth pursuing.

Over the course of the project, Tabriz emphasizes the importance of celebrating milestones to keep up morale. The team created stickers of icons from their UI designs, for example, when those were finalized. 

Tabriz also pointed to the myriad ways in which their work could have failed to demonstrate lessons learned. Management could have killed the project, for example, when the timeline turned out to be years longer than anticipated. Because the team was able to regularly articulate progress and demonstrate positive impact in terms of overall code health, they were never told to discontinue the project. When the benefits aren't immediately clear, it's important to get people invested in the project's success.

The HTTPS push also could have failed without broader support from Google's leadership and external parties. The team worked with several Web standards groups to communicate the change, she explained, and the ability to kill progress could have come from outside the company.

"We rely on everyone working in technology to clear the path for a safer future," Tabriz said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/13/2018 | 11:37:53 AM
Re: Internet bullying.
You both make some valid points; but I think the choice of vendors is less free than assumed.  There are certainly restrictions in the corporate and academic environments (some choices are not allowed, others forced - as they are necessary to certain, required, applications).  Even for individuals, many will use the browser best suited to their OS, or will choose to stay with their OS's browser so as not to provide even more data to yet another IT mega-corporation.  Are you going to go through the process of reconfiguring and learning new habits, every time your current browser vendor changes its policies or practices (assuming you'll even be aware of it)?  Maybe "bullying" isn't the right word, but "heavy-handed" - definitely. 
User Rank: Ninja
8/13/2018 | 11:09:44 AM
Re: Who decides?
There are just too many self-serving motivations for any individuals or corporate, political or activist entities, to be trusted with being the guardians of the cyber-universe, to dictate what is or isn't moral, ethical or otherwise acceptable behavior.  Yet, there is a dire need to hold individuals, groups, transient associations and other entities responsible for clear violations of the most fundamental principles of moral and ethical behavior.  Perhaps the problem lies in the tendency to redefine those traditional principles to suit whatever self-serving motivations currently serve us best.     
User Rank: Apprentice
8/13/2018 | 10:40:08 AM
Re: Internet bullying.
I guess we'll agree to disagree on this.  My thoughts on a browser update regarding a security alert doesn't amount to bullying.  Users are free to download and use any other browser besides chrome.  If, on the other hand, google had a monopoly on browsers, the point could be made that it's heavy-handed.  
User Rank: Strategist
8/9/2018 | 6:09:02 PM
Re: Internet bullying.
It is not the site which is insecure, but the communucations: from your browser to that site which, by the way Google is monitoring and deciding good/bad. Reality is the internet is not secure. We see daily sites and large corporations, Experion, Target, Facebook, etc., for example, as having HTTPS and insecure with data breaches. Facebook having HTTPS is before congress to explain why they are insecure.

A notification that any data to and from a site is not secure, means that Google is monitoring users activity. That alone should make you nervous. If it finds a site without HTRTPS, it can exclude it from it's search engine. That should be sufficient. But Google doesn't define insecure as having poor data security it defines dangerous as not having HTTPS.

Google is, in it's own discretion, is marking innocnt users of the internet as insecure and also in it's own hubris decided that it is the internet's sole policeman. If it wants to define a site as insecure it should strt with sites that don't protect data.
User Rank: Apprentice
8/9/2018 | 1:44:54 PM
Re: Internet bullying.
I disagree.  The reality is that "normal" users have little insight into what HTTPS means vs HTTP and how the transmissions differ regarding their personal and identifying information when using the web.  An extra click or so to get to the content of an "insecure" site which also advises users that a site isn't secure is good for everyone.  It forces sight owners to comply with basic security measures to protect user information in transit - especially in light of today's environment.  It also educates users on the inherent threats in HTTP.  To claim censorship is stretching a bit.  #IMHO
User Rank: Strategist
8/9/2018 | 1:17:10 PM
Internet bullying.
There is no doubt that securing data in transmission is a good thing. However. Google's dominant position does not give them the right to block or interrupt a user from reaching any site.

Though you may give your browser instructions to bypass their "WARNING" it still amounts to disruption of business, and a form of censorship.

In simple terms, no matter how good the intention, Google is bullying. It is internet bullying; it is a form of censorship and no matter who or why it is wrong to deny or impede legitimate and legal entities from conducting discource.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.