Your safety online shouldn’t be your problem — it should be the tech giants’.
Parisa Tabriz, nicknamed “Google’s Security Princess” and the company’s director of engineering, delivered the keynote speech at the Black Hat cybersecurity conference Wednesday in Las Vegas, where she discussed issues with the state of cybersecurity.
As cyberattacks loom over our everyday lives, with hackers targeting emails, credit cards and politics, there’s plenty to worry about security-wise. But security should be at the point where tech giants can protect everyone online while they’re casually surfing the web, Tabriz said in an interview on Tuesday.
Her ultimate goal for Google is to make it so that security is second nature — not something you would have to actively think about to achieve. And that’s up to the internet’s architects to fix, Tabriz noted.
“The end of the journey is for people creating content on the web, the vast majority of them don’t even have to think about it — it’s just by default,” Tabriz said. “I don’t know when that will happen, but I think things are moving in the right direction.”
These changes have been happening at Google for the last four years, but you might not have noticed them. Tabriz said Google’s approach has been to incrementally introduce new security features so it could ease people in without confusing them.
What she wants to do is avoid creating “warning fatigue,” which is when a person becomes indifferent to warnings because they’ve popped up so frequently. Over the last four years during this effort, Google has found that people become too confused if they make these changes quickly.
“A lot of security indicators related to HTTPS end up barfing out this ‘error, hey do you understand cryptography? Do you still want to go to where you want to go?’ and people just click through it,” Tabriz said. “We’ve done a lot to make warning messages more comprehensible and to understand what is helpful to users.”
You might have noticed some of these changes in the last two months.
For awhile on Chrome, the browser would show a green lock with “Secure” written next to it to show people they were on a safe page. Tabriz said Google decided to get rid of it because it wanted security to be the default assumption, and slapping a label would just make it stand out more.
That’s also why in July, Chrome started showing “Not Secure” in the browser if you visited a website that did not offer HTTPS protection.
But there’s only so much Google can do on its own. For the internet to reach Tabriz’s goal, she said all tech giants would have to pitch in. She mentioned that Google partnered with Mozilla to push for HTTPS adoption, as well as Let’s Encrypt to help make sure the websites you’re visiting are secure.
“It’s not OK if just Facebook and Google are just on HTTPS,” Tabriz said. “Even if it’s just an individual blog, you still want to have confidence that people reading your blog are actually getting the real content and it’s not being tampered with by your ISP.”