Notes from the security panel panel at Edge con.
Security needs to be easier. Cross site scripting is still easy. Content Security Policy => csptester.io can test examples. Use HTTPS by default, prevents inadvertent leakage but it's hard and costs money => Let's Encrypt, gives out free certs and handles management.
Moving to TLS is becoming less of a technology problem, need to change the culture particularly around third party content. Set internal standards and enforce them. Short term financial impact but long term benefit. Infrastructure for ads is there but providers aren't using it. TLS and PKI reduce the need for identity security at other levels of the stack. Browsers are looking at improving UI round communicating security.
APIs: e.g. Geolocation over HTTP potentially exposes your location to anyone on the internet - moving to locking down APIs to more secure connections.
Developers aren't the road block to HTTPS - need to make the rest of the stakeholders care. Being too aggressive could be counter productive. Road map: infrastructure, browsers, developers, standards, ... We need to get this done otherwise it will be a historical embarrassment. Need to ensure we don't add too many barriers to entry - make the web elitist. We made SSH the default over Telnet because it's now easy - HTTPS needs to be the easy default.
CAs have been a race to the bottom, no longer need notorised documents. If we make HTTPS certs easier and the default we can start moving on new levels of authority.
The meaning of HTTPS is changing - it is not a mark of security, it's a mark of identity/origin: users should not have to care. Self signed certs still have a use. HTTPS only secures the connection between the browser and the server, the server may have insecure connections behind it. The lock UI gives a false sense of security - last mile HTTPS could be nullified by a weak server leaking information.
Don't use perfomance as an issue for HTTPS - it's not a genuine concern any more, it's secondary to security.
Once we've got content into the browser we need to handle the security once it's there. Encryption is HARD - even cryptologists struggle. Don't pretend that you are secure when you're not. Webcrypto API should be used for clientside encryption. Specs and implementations are evolving.
Middleboxes can be helpful for network management but this model won't necessarily survive the transition to HTTPS. If you have admin control over machines you can MITM connections to a middlebox - could be legitimate for places that own the hardware (e.g. corporates). How does this work for mobile networks that are doing traffic downsampling to save bandwith? Proxy browsers are an opt-in MITM that facilitates this.
Does EV have value to users? Mostly a UI thing.
Are there plans to improve or replace TLS? TLS 1.3 is under investigation, looking at addressing flaws in the protocol. Remove technical debt in the protocol. Should there be HSTS at other levels of the protocol?