Web Security – HTTP203
Articles,  Blog

Web Security – HTTP203


JAKE: Who doesn’t care
about web security? CHRIS PALMER: Right. JAKE: Everyone should
care about web security. CHRIS PALMER: What
kind of maniac would not care
about web security? JAKE: It’s very true. CHRIS PALMER: I can’t
even imagine that. [MUSIC PLAYING] JAKE: Who are you, and why? EMILY SCHECTER: My name
is Emily Schechter. I’m product manager on
the Chrome Security Team, and because I feel like it. SURMA: That is probably
one of the best reasons to give for existing. JAKE: And? CHRIS PALMER: I’m Chris Palmer. I’m an engineer on the
Chrome Security Team. And I also feel like it. JAKE: I always think of like,
the security team at Google as being kind of
like the cool kids. You’re sort of in– SURMA: To me, it’s
like the A-team. JAKE: Yeah, like a
sort of secret room where stuff happens that we’re
not allowed to hear about. SURMA: You know, black windows. You can’t look in. JAKE: But I recently found
some security bugs in browsers recently, so I
feel like, am I in? What do I get? Do I get a goody bag? What’s the– EMILY SCHECTER: You
get the secret key to the back room with
the black windows. JAKE: Oh. With these security
bugs I’ve seen, do I need to write
a PDF about it? Because it seems to me
like security engineers– SURMA: And do you need a logo,
because they nowadays launch with a website and a logo. Right? JAKE: A logo and a name. But why is it always PDF? Is it because HTML is
inherently insecure? So? [LAUGHING] So secure engineers
have to use PDF instead, which is a superior format? Is that? EMILY SCHECTER: I have– I mean, we do see a lot
of the names and logos. In our talk, we’re going to
be talking about the Meltdown and Spectre– SURMA: Spectre, like
a nice spooky ghost. EMILY SCHECTER: A nice
spooky ghost, yeah, that– SURMA: That was the other one. EMILY SCHECTER: That came
out with a whole website with the whole explanation. SURMA: That was
some good branding. Like, that day was exciting. JAKE: What’s your talk title? CHRIS PALMER: What
is our talk title? JAKE: Just for the record– CHRIS PALMER: I know what it is. JAKE: They’re
speaking in an hour. SURMA: I mean, but you don’t
speak out your talk title. CHRIS PALMER: Me and
metadata, like the title. EMILY SCHECTER: I believe
our title is “Lessons Learned from Spectre and Meltdown,
and What You Should Do To Keep Your Site Secure.” SURMA: That’s a long title. JAKE: Can you change it
to “Palmer and Schecter on Meltdown and Spectre,” CHRIS PALMER: Whoa. I can’t believe we
didn’t think of that. EMILY SCHECTER: Yeah,
that’s actually shocking. CHRIS PALMER: That’s better. EMILY SCHECTER: We should. We truly should. CHRIS PALMER: That’s
actually way better. JAKE: So some people
would be unaware of what Meltdown and Spectre is. So– SURMA: Can you summarize
it in a sentence? Is that possible? EMILY SCHECTER: Do you
want to take a crack? CHRIS PALMER: Sure, sure. SURMA: Let’s go. CHRIS PALMER: So
the impact of it is that you lose any
guarantee of confidentiality when you have two programs
running on the same chip. JAKE: That sounds bad. CHRIS PALMER: Oh, it’s terrible. Yeah. I lost sleep over it. I literally did. JAKE: So, and this was like
a huge revelation, right? So I imagine just, one day,
you both went to work and like, what happened? Like, an email– SURMA: The windows
were turned black. JAKE: Or what happened? Everyone just– someone
ran in screaming? How did that play out? EMILY SCHECTER: Well,
first, we took our key and we entered the secret
room with the black windows. No, no, no. Yeah. JAKE: Slide down the pole. EMILY SCHECTER:
Slide down the poles JAKE: Everyone to the
security, like, basement. [LAUGHING] SURMA: I think we’re delivering
a good image of the security team. JAKE: So was it just one
morning, an email arrived of like, everything’s broken? EMILY SCHECTER: Yeah, I think– CHRIS PALMER: That’s what I got. EMILY SCHECTER: Yeah. It’s essentially what I got too. And we ended up
having to really put in quite a lot of work
and collaboration, not only on the security
team, but it was really multiple teams across Chrome
and across Google, you know, everything from
the Google Cloud team to Chrome team, V8 team. You know, people working
on dev tools, and printing, and everything. SURMA: It affects everything. EMILY SCHECTER: Everyone all
really had to come together. SURMA: A processor is, in
a way, affected, I guess. JAKE: Most computers
have those these days. SURMA: Yeah, it’s really sad. It was easier back in the
day without these processors. EMILY SCHECTER: Yeah. CHRIS PALMER: That’s when
the problem was introduced. We also had to collaborate
with other companies in order to even figure
out what was going on. It took a while for people
to really get a grip mentally on what was happening. It takes a good couple of
days before you can even cope with it emotionally. JAKE: Well, that’s
what I think as well. The way I’d imagine it
is the email is there, and it’s like, oh, here’s
this thing, the CPU thing. And I don’t know. Maybe on the first
read, you’d be like, eh. And then just sort of
getting up, going– SURMA: And then it sinks in,
and you realize it’s everything. JAKE: If you pour the coffee,
and then just half way back to the desk, drop the coffee. Wait a minute. Is this a big deal? EMILY SCHECTER: The
good news is that Chrome was working on this project
called site isolation for a really, really long time. Like, around the order
of five or seven years. And it turns out that
site isolation is– SURMA: And that’s what
it says on the tin? It isolates the sites? EMILY SCHECTER: It
isolates the sites, which makes it actually
a really good way to mitigate some of the issues
that are caused by Spectre. What ends up happening is
that a tab can actually include multiple sites. Right? Like, a site could
have an iframe that’s loading some
ads, stuff like that. So the way site
isolation changes things, is now each of those
sites are now isolated. SURMA: Circling back to
your event loop stuff, if they share an
event loop, it’s hard to put them in different
processes, isn’t it? JAKE: That’s right. Yes. Yes, it is actually the
same thing in the same way that we have iframes in the
same event with its parent page. It’s part of this problem. SURMA: Yeah. JAKE: So what do
developers need to change about how they write
sites in response to kind of how we’re going to
be changing this process model? EMILY SCHECTER: So
one thing that’s kind of a part of site
isolation is called cross origin read blocking. And there are some
things that developers need to do to sort
of take advantage of cross origin read blocking. We’ll be talking about this
in our talk this afternoon. So everyone should
check that out. SURMA: So yeah, you should
definitely check that out. EMILY SCHECTER: Yep. SURMA: How much does– the one security
primitive on the web that I’m most [INAUDIBLE] CSP. How much does this have
to do with litigations against Spectre and Meltdown? Is this more an orthogonal
thing about cross-site scripting and things? Does it have anything
to do with Meltdown? CHRIS PALMER: No,
I don’t think so. It won’t help you
against Meltdown. It doesn’t make it worse. It’s just orthogonal. EMILY SCHECTER: But
it’s still important. So everyone should be using
a content security policy. We’ll also talk about that
in the talk this afternoon. SURMA: Well, there you go. JAKE: So it feels like a lot
of security problems we have on the web is down to things
that let one site make requests to another with
the other site’s cookies without any permission for that. Is that just a mistake
we made with the web? Is that something that,
if we started again, we would just not allow? CHRIS PALMER: Ah,
that’s a tough one. I spent some time
thinking about that. And I think that kind of
composability and embed-ability is a key goodness of the web. SURMA: I think we have on every
list of what the web superpower is, and like, the linkable– CHRIS PALMER: Yeah. SURMA: It’s one of the
things we always list. CHRIS PALMER: That’s
definitely on there. I think the thing
to do is, depending on the situation– like
with cookies, you know, we’re looking at the
same site cookies. The new thing. SURMA: Yeah. CHRIS PALMER: I think
that’s a good way to solve that kind of problem,
because then the request is effectively anonymous, and it’s
no different than what anyone could do. I think that deals
with it pretty well. JAKE: So same site
cookies is when, like, if I’ve included
an image on my site, it’s going to get
my site’s cookies. But if I include an image
to it to another site, this set of same
site cookies is not going to be sent with those. SURMA: It’s not the same
site, therefore, no cookie. Right? JAKE: Right. SURMA: That’s the
bottom line of it. JAKE: And it’s the same
with navigation as well. Is that true? If I’m navigating from
one site to another, it doesn’t send the
same site cookies? CHRIS PALMER: I don’t
know if that is true. I think if you click the link– SURMA: That would be weird. Right? Like, if I linked from
my page to Facebook, you would suddenly
not be logged in? CHRIS PALMER: Right. Because the navigation
is a transfer of control to the new origin,
where it should be OK. SURMA: We’ll link to an article
that explains what is true, because I don’t know right now. JAKE: So one of the
things that has been, I guess, your team’s
mission for so long is to drive the web off
HTTP and onto HTTPS. Are we don’t yet? Is it 100%? EMILY SCHECTER: We
are not at 100% yet, but we are definitely
seeing a lot of movement up and to the right. We started publishing this
HTTPS transparency report back in, I think, early 2016. And what’s pretty cool is
that we’ve been constantly updating that with
the amount of HTTP that we’re actually seeing
being used in Chrome. SURMA: Do you remember
the current number? EMILY SCHECTER: I think
it’s somewhere around 70%, but it kind of
varies per platform. SURMA: I mean, that’s
pretty decent for– EMILY SCHECTER: We see it
definitely high on Chrome OS, probably more like 75% or 80%. SURMA: Well, I think
the problem we usually have is getting to the long
tail, which nobody maintains anymore, so that 70%
actually seems pretty good. JAKE: But even 70%, it doesn’t
seem like that long ago. I mean, I’ve been at
Google five years, and it feels like
when I started, the HTTPS still felt like very
much in the minority of sites. EMILY SCHECTER: Oh, yeah. Yeah, I remember
giving talks on HTTPS. And I remember when
we first published the transparency report,
we have this list of the HTTPS status for the
top 100 sites on the web. When we first started
talking about it, it was maybe 20 or 25 sites
were using HTTPS by default, and now it’s more like 80. So it’s really just in the last
two, two and and a half years where we’ve seen this massive
increase in the top sites. JAKE: So how have
you achieved that? What have you done to
actually push that? SURMA: I bet it’s encrypt. JAKE: Oh, spoiler alert. EMILY SCHECTER: One
is that I really think it’s been a push around
the entire web ecosystem, not just Chrome, to
really help things. So you know– SURMA: That’s true. EMILY SCHECTER: Let’s
encrypt Started, which is this new, free,
automated certificate authority, which I think
made everything much easier and cheaper for people. SURMA: Yeah. EMILY SCHECTER: On
the Chrome thing side, one thing we’ve been doing is
changing the UI of HTTP sites to gradually mark
them as non-secure. And upcoming this July,
we were really excited. All the HTTP sites will
be marked as not secure. JAKE: It feels like the
right time to do that, to start marking things as
not secure, because even if– SURMA: It’s not. JAKE: Yes, OK. But that’s always been true. But now is the right
time to do that, because if we did
it five years ago, people would be seeing
it for all the sites, and they’d become
desensitized to it. EMILY SCHECTER: Yeah. JAKE: Is that why
we changed that? EMILY SCHECTER: Yeah. I think, you know, when
people see warnings too often, they get what’s called
warning fatigue, where they stop paying
attention to warnings. And we also just thought that
it could make the web seem scary if suddenly tons of sites
that you’re used to seeing, which are, in fact,
secure, now look scary. So we feel like
we’ve kind of reached this point, where
we can gradually turn around for everything. SPEAKER: They’re
doing a sound test. SURMA: Well, can they not? [LAUGHING] SPEAKER: I think
we’ll just keep going. CHRIS PALMER: I
think it’s perfect. I would stick with it. I would keep that
part of the video. [REWINDING SOUNDS]

7 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *