Endpoint

8/8/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push

Google engineering director Parisa Tabriz took the Black Hat keynote stage to detail the Chrome transition and share advice with security pros.



BLACK HAT USA 2018 – Las Vegas – Parisa Tabriz, director of engineering at Google, today shared the story of how the company made the switch to enforce HTTPS in Chrome, as well as lessons she learned in collaboration, management, and perseverance over the course of the multiyear project.

As Black Hat founder Jeff Moss put it in his introduction, there are "maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resiliency for all of us."

Google is one of them. "Anything Google does that is an improvement essentially impacts us all," Moss added. Recently, for example, the company reached the end of a years-long initiative to label HTTP websites as "not secure" in an effort to push Web developers to embrace HTTPS encryption. The change went into effect last month with the release of Chrome 68; now HTTP sites display an alert to visitors.

The change wasn’t an easy one, as conference attendees learned today during Tabriz's keynote. She began her talk by detailing what she believes are the key steps to success in information security, and then weaved these points into the story of how HTTPS enforcement went from bold idea to reality.

Tabriz's first – and foremost – point: "Identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes."

She pointed to Project Zero, a team of Google security analysts tasked with finding zero-day bugs. The group was created in 2014 to hunt vulnerabilities in operating systems, browsers, antivirus software, and other tech. Its goal is to better understand offensive security as a means of understanding exploitation against defenders and ultimately lead to structural improvement and better security, Tabriz explained.

Her second point: "We have to be more intentional in how we improve long-arc defensive projects."

Staying motivated to see an effort through over a long period of time, as certain projects can take years depending on their scale, is crucial. As part of this, Tabriz emphasized the importance of identifying milestones, working toward those milestones, and celebrating progress along the way. 

Her third point: build a coalition of champions and supporters outside security so the team's efforts are successful. "There's an understanding we're generally working on similar goals," she said, adding that the cost of building exploits against high-profile targets has increased due to the efforts of people working together to address root causes of bad security.

Enforcing HTTPS: Idea to Implementation
Tabriz's ideas are evident in the story of Google's move to enforce HTTPS on the Chrome browser. 

"We wanted to make the risk of unencrypted traffic more comprehensible and also more consistent," she explained. The team had a clear vision of what that state should look like but knew it would take many years to achieve it. After all, the Web isn't an entity owned by any one person or institution, she noted, and they had to navigate an "ecosystem of constraints and incentives" – including industry organizations and browsers with different standards, proprietary ideas, and technology – in the process.

"To make a change like this it had to be gradual, and it had to be very intentional," Tabriz said. The process began back in 2014 with brainstorming how to change the browser's user interface, and continued in 2015 with a public UI proposal. Going public with the idea led to support and sentiment from the broader infosec community, which helped convince Chrome leadership this was worth pursuing.

Over the course of the project, Tabriz emphasizes the importance of celebrating milestones to keep up morale. The team created stickers of icons from their UI designs, for example, when those were finalized. 

Tabriz also pointed to the myriad ways in which their work could have failed to demonstrate lessons learned. Management could have killed the project, for example, when the timeline turned out to be years longer than anticipated. Because the team was able to regularly articulate progress and demonstrate positive impact in terms of overall code health, they were never told to discontinue the project. When the benefits aren't immediately clear, it's important to get people invested in the project's success.

The HTTPS push also could have failed without broader support from Google's leadership and external parties. The team worked with several Web standards groups to communicate the change, she explained, and the ability to kill progress could have come from outside the company.

"We rely on everyone working in technology to clear the path for a safer future," Tabriz said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
BPID
25%
75%
BPID,
User Rank: Strategist
8/9/2018 | 1:17:10 PM
Internet bullying.
There is no doubt that securing data in transmission is a good thing. However. Google's dominant position does not give them the right to block or interrupt a user from reaching any site.

Though you may give your browser instructions to bypass their "WARNING" it still amounts to disruption of business, and a form of censorship.

In simple terms, no matter how good the intention, Google is bullying. It is internet bullying; it is a form of censorship and no matter who or why it is wrong to deny or impede legitimate and legal entities from conducting discource.

 
dmatos123
50%
50%
dmatos123,
User Rank: Apprentice
8/9/2018 | 1:44:54 PM
Re: Internet bullying.
I disagree.  The reality is that "normal" users have little insight into what HTTPS means vs HTTP and how the transmissions differ regarding their personal and identifying information when using the web.  An extra click or so to get to the content of an "insecure" site which also advises users that a site isn't secure is good for everyone.  It forces sight owners to comply with basic security measures to protect user information in transit - especially in light of today's environment.  It also educates users on the inherent threats in HTTP.  To claim censorship is stretching a bit.  #IMHO
BPID
0%
100%
BPID,
User Rank: Strategist
8/9/2018 | 6:09:02 PM
Re: Internet bullying.
It is not the site which is insecure, but the communucations: from your browser to that site which, by the way Google is monitoring and deciding good/bad. Reality is the internet is not secure. We see daily sites and large corporations, Experion, Target, Facebook, etc., for example, as having HTTPS and insecure with data breaches. Facebook having HTTPS is before congress to explain why they are insecure.

A notification that any data to and from a site is not secure, means that Google is monitoring users activity. That alone should make you nervous. If it finds a site without HTRTPS, it can exclude it from it's search engine. That should be sufficient. But Google doesn't define insecure as having poor data security it defines dangerous as not having HTTPS.

Google is, in it's own discretion, is marking innocnt users of the internet as insecure and also in it's own hubris decided that it is the internet's sole policeman. If it wants to define a site as insecure it should strt with sites that don't protect data.
dmatos123
50%
50%
dmatos123,
User Rank: Apprentice
8/13/2018 | 10:40:08 AM
Re: Internet bullying.
I guess we'll agree to disagree on this.  My thoughts on a browser update regarding a security alert doesn't amount to bullying.  Users are free to download and use any other browser besides chrome.  If, on the other hand, google had a monopoly on browsers, the point could be made that it's heavy-handed.  
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
8/13/2018 | 11:09:44 AM
Re: Who decides?
There are just too many self-serving motivations for any individuals or corporate, political or activist entities, to be trusted with being the guardians of the cyber-universe, to dictate what is or isn't moral, ethical or otherwise acceptable behavior.  Yet, there is a dire need to hold individuals, groups, transient associations and other entities responsible for clear violations of the most fundamental principles of moral and ethical behavior.  Perhaps the problem lies in the tendency to redefine those traditional principles to suit whatever self-serving motivations currently serve us best.     
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
8/13/2018 | 11:37:53 AM
Re: Internet bullying.
You both make some valid points; but I think the choice of vendors is less free than assumed.  There are certainly restrictions in the corporate and academic environments (some choices are not allowed, others forced - as they are necessary to certain, required, applications).  Even for individuals, many will use the browser best suited to their OS, or will choose to stay with their OS's browser so as not to provide even more data to yet another IT mega-corporation.  Are you going to go through the process of reconfiguring and learning new habits, every time your current browser vendor changes its policies or practices (assuming you'll even be aware of it)?  Maybe "bullying" isn't the right word, but "heavy-handed" - definitely. 
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.