 Who doesn't care about web security? Right. Everyone should care about web security. What kind of maniac would not care about web security? It's probably true. I can't even imagine that. Who are you and why? My name is Emily Jector. I'm product manager on the Chrome Security team. And because I feel like it. That is probably one of the best reasons to give for existing. I'm Chris Palmer. I'm an engineer on the Chrome Security team. And I also feel like it. I always think of the security team Google is being kind of like the cool kids. You're sort of in. It means like the A team. Yeah, like it's not a secret room where stuff happens that we're not allowed to hear about. Like windows, you can't look in. But I recently found some security bugs in browsers recently. So I feel like am I in? What do I get? Do I get a goodie bag? What's the. You get the secret key to the back room with the black windows. With these security bugs I've seen. Do I need to write a PDF about it? Because it seems to me like security engineers. And do you need a logo? Because they nowadays launch with a website and a logo. Logo and a name. But why is it always PDF? Is it because HTML is inherently insecure? So security engineers have to use PDF instead, which is a superior format. Is that? I have. I mean, we do see a lot of the names and logos. In our talk, we're going to be talking about the meltdown and Spectre. You have like a nice spooky ghost. A nice spooky ghost. Yeah, they came out with a whole website, with the whole explanation. That was some good branding. Like that day was exciting. What's your talk title? What is our talk title? I remember what it is. They're speaking in an hour. I mean, but you don't speak out your talk title. I mean metadata, like the title. I believe our title is Lessons Learn from Spectre and Meltdown and What You Should Do to Keep Your Sight Secure. That's a long title. Can you change it to Palmer and Shrekter on Meltdown and Spectre? Whoa, I can't believe we didn't think of that. Yeah, that's actually shocking. That's better. We truly should. Some people would be unaware of what Meltdown and Spectre is. So can you summarize it in a sentence? Is that possible? Do you want to take a crack? Sure, let's go. So the impact of it is that you lose any guarantee of confidentiality when you have two programs running on the same ship. Oh, it's terrible. I lost sleep for over it. I literally did. So, and this was like a huge revelation, right? So I imagine just one day you both went to work and what happened? Like an email landed. The windows were turned black. Or what happened? Everyone just, someone ran in screaming. Well, how did that play out? Well, first we took our key and we entered the secret room with the black windows. As we do every day. Yeah. Slide down the pole. Slide down the pole. Is everyone to the security, like, basement? Is that what it is? I think we were delivering a good image of security. So was it just one morning, an email arrived, of like, everything's broken? Yeah, I think. Yeah, it's essentially what I got too. And we ended up having to really put in quite a lot of work and collaboration. Like not only on the security team, but it was really multiple teams across Chrome and across Google, you know, from everything from the Google Cloud team to Chrome team, V8 team, you know, people working on, like DevTools and printing and everything sort of. It affects everything. Everyone and all really had to come together. Is in a way affected, I guess. Most computers have those these days. It's really sad. It was easier back in the day without these processors. That's when the problem was introduced. We also did a collaborate with other companies in order to, like, even figure out what was going on. Like, it took a while for people to really get a grip mentally on what was happening. Like, it takes a good couple of days before you can even cope with it emotionally. Well, that's what I think as well. The way I'd imagine it is the email's there and it's like, oh, here's this thing, the CPU thing. And I don't know, maybe on the first read, you'd be like, meh. And then just sort of, you'll get up going. And then it's like, since then, you realize it's everything. If you pour the coffee and then just halfway back to the desk, drop the coffee. Wait a minute, this is a big deal. The good news is that Chrome was working on this project called Site Isolation for a really, really long time, like around the order of five or seven years. And it turns out that Site Isolation is... And that's what it says on the tin, what it isolates sites. It isolates the sites, which makes it actually a really good way to mitigate some of the issues that are caused by Spectre. What ends up happening is that a tab can actually include multiple sites. Like, a site could have an iframe with it's loading some ads, stuff like that. So the way Site Isolation changes things is now, each of those sites are now isolated. Sorting back to your event loop stuff, like if they share an event loop, it's hard to put them in different processes, isn't it? That's right, yes. Yeah, so it is actually the same thing in the same way that we have iframes in the same event loop as the parent page, it's part of this problem. So what do developers need to change about how they write sites in response to kind of how we're going to be changing this process model? So one thing that's kind of a part of Site Isolation is called cross-origin read blocking. And there are some things that developers need to do to sort of take advantage of cross-origin read blocking. We'll be talking about this in our talk this afternoon, so I want you to check that out. So yeah, definitely check that out. How much does, I mean, the one security primitive on the web, but I'm mostly web with CSP, how much does this have to do with mitigations against Spectre and Meltdown? It's just more an orthogonal thing about, you know, cross-site scripting and things. Does it have anything to do with Meltdown? No, I don't think so. It won't help you against Meltdown. It doesn't make it worse. It's just orthogonal. But it's still important. So everyone should be using a content security policy. We'll also talk about that in the talk this afternoon. Well, there you go. Do you think that, so it feels like a lot of security problems we have on the web is down to things that like, let one site make requests to another with the other site's cookies without any permission for that. Is that just a mistake we made with the web? Is that something like, if we started again, we would just not allow? That's a tough one. I spent some time thinking about that and I think that kind of composability and embeddability is a key goodness of the web. I mean, we have an every list of what the web superpower is and like the linkability in composability. It's one of the things we always list. That's definitely on there. I think the thing to do is, depending on the situation, like with cookies, you know, we're looking at the same site cookies, the new thing, I think that's a good way to solve that kind of problem because then the request is effectively anonymous and it's no different than what anyone could do and I think that deals with it pretty well. So same site cookies is when, like if I've included an image on my sites, it's gonna get my site's cookies but if I include an image to another site, like this set of same site cookies, it's not gonna be the same with those. It's not the same site, therefore no cookie, right? Right. That's the bottom line of it. And it's the same with navigations as well. Is that true if I'm navigating from one site to another, it doesn't send the same site cookies? I don't know if that is true. I think if you click a link, I'll be weird a little bit, right? Like if I linked from my page to Facebook, you would have suddenly not be logged in. Right, because the navigation is a transfer of control to the new origin where it should be okay. Well, link to an article that explains what is true because I don't know right now. Yeah. So one of the things that like, it's been, I guess your team's mission for so long is to drive the web off HTTP and onto HTTPS. Are we done yet? Is it 100%? We are not at 100% yet, but we are definitely seeing a lot of movement up into the right. We started publishing this HTTPS transparency report back in, I think, early 2016. And what's pretty cool is that we've been constantly updating that with, you know, the amount of HTTP that we're actually seeing being used in Chrome. Do you remember the current number? I think it's somewhere around 70%, but it kind of varies per platform. You see it's definitely high on, you know, Chrome OS, probably more like 75 or 80. I mean, the problem we usually have is getting to the long tail, which nobody maintains anymore, so that we're at 70% is actually, seems pretty good. But even 70%, it doesn't seem like that long ago. I mean, I've been at Google five years and it feels like when I started the HTTPS still felt like very much in the minority of sites. Oh yeah, yeah, I remember giving talks on HTTPS and I remember when we first published the Transparency Report, we have this list of the HTTPS status for the top 100 sites on the web. When we first started talking about it, it was maybe 20 or 25 sites had, we're using HTTPS by default and now it's more like 80. So it's really just in the last, you know, two and a half years, we've seen this massive increase in the top sites. So how have you achieved that? What have you done to actually push that? I bet it's less angry. Oh, spoiler alert. One thing is that I really think it's been a push like around the entire web ecosystem, not just Chrome, to really help things. So, you know, Let's Encrypt started, which is this new free automated certificate authority, which I think made everything much easier and cheaper for people. On the Chrome side, one thing we've been doing is changing the UI of HTTP sites to gradually mark them as not secure. And upcoming this July, we're really excited all the HTTP sites will be marked as not secure. It feels like the right time to do that, to start marking things as not secure because if we did it... It is not. Yes, okay, but that's always been through. But now's the right time to do that because if we did it five years ago, people would be seeing it for all the sites and they become desensitized to it. Is that why we changed that? Yeah, I think, you know, when people see warnings too often, they get what's called warning fatigue where they stop paying attention to warnings. And we also just thought that it could make the web seem scary if suddenly tons of sites that you're used to seeing, which are in fact secure, now look scary. So, you know, we feel like we've kind of reached this point where we can gradually turn it on for everything. And they're doing a sound test. Well, can they not? I think it's perfect. I would stick with it. I would keep that part of the video.