Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Web We Can Ship

Mike West
September 11, 2020
460

The Web We Can Ship

Presented at the SecWeb workshop (https://secweb.work/), adjunct to Euro IEEE S&P 2020.

Mike West

September 11, 2020
Tweet

Transcript

  1. Stay up to date. • Conversations around intents happen in

    public on [email protected]. • Chrome Platform Status has historical information about features. • https://bit.ly/blinkintents extracts intent threads from blink-dev@. • @intenttoship tweets Blink's intents, as well as information about other vendors.
  2. Core questions for deprecations. • Why should we remove the

    feature? How is it bad for the web? • Will users notice if we break the feature? Will they be happy or sad? • Do developers rely on the feature? If so, how widely? • Do alternatives exist?
  3. Measuring the measurable. For objective questions, a few data sources

    are very useful: • Chrome's Use Counters • Chrome's UKM • HTTP Archive • Web Platform Tests • Anecdata
  4. Use Counters Each metric folds into one bit per tab

    (usage in any frame is enough). ...0100010100101001100100000001010...
  5. Use Counters If we're not measuring something you think we

    ought to measure, add a counter! https://bit.ly/2Zojq76
  6. UKM (URL Keyed Metrics) Each metric folds into one bit

    per tab, tied to the top-level origin. ...0100010100101001100100000001010...
  7. HTTP Archive (https:/ /httparchive.org) https://httparchive.org/ Periodic crawls of the top

    [many] sites, recording use counters as well as other vital statistics as it goes.
  8. 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

    2020 2021 Chrome and Adobe collaborate to bundle Flash Fuzzing! Reward$ for Flash exploits PPAPI Flash Driving down major Flash usage on the web History of Flash (in Chrome) HTML5 is made default in Chrome Flash EOL announced! Adobe Flash Mitigations to disable plugins, whitelist sites, and update Flash separately Ephemeral Enabling Disabled by default. More Warnings
  9. 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

    2020 2021 Chrome and Adobe collaborate to bundle Flash Fuzzing! Reward$ for Flash exploits PPAPI Flash Driving down major Flash usage on the web History of Flash Security (from Chrome’s perspective) HTML5 is made default in Chrome Flash EOL announced! Adobe Flash Mitigations to disable plugins, whitelist sites, and update Flash separately Ephemeral Enabling Disabled by default. More Warnings 1. Developer-facing warnings and user-facing friction can reduce usage. 2. Enterprise opt-outs remove roadblocks. 3. Collaboration with other vendors tells a consistent story.
  10. 2014 2015 2016 2017 2018 2019 Marking HTTP as "Not

    Secure" Phase 3: HTTP is Not Secure! HTTPS Transparency Report Security panel in DevTools to debug broken HTTPS Proposal to evolve browser UI floated publicly Phase 1: HTTP is Not Secure! (for pws & cc#s) Phase 2: HTTP is Not Secure! (for pws & cc#s OR Incognito) UI plan announced! crbug.com/267781
  11. 2014 2015 2016 2017 2018 2019 Marking HTTP as "Not

    Secure" Phase 3: HTTP is Not Secure! HTTPS Transparency Report Security panel in DevTools to debug broken HTTPS Proposal to evolve browser UI floated publicly Phase 1: HTTP is Not Secure! (for pws & cc#s) Phase 2: HTTP is Not Secure! (for pws & cc#s OR Incognito) UI plan announced! crbug.com/267781 1. Developers care deeply about browser UI surfaces, and appreciate clear timelines (deadlines). 2. Phased rollouts can keep the required actions top-of-mind. 3. Ecosystem changes require broad partnerships. 4. Conspiracy theories abound.
  12. 2019Q2 2019Q3 2019Q4 2020Q1 2020Q2 2020Q3 Defaulting cookies to "SameSite=Lax"

    Rolled out in August 2020 Enterprise Opt-outs DevTools warnings. % Experiments. Pushed timeline back to Feb. 2020 due to interoperability concerns w/ Safari. Began rolling out to M80+ Announced intent at I/O. Targeting Sept. 2019. SSO Carveouts Direct Outreach & Measurement
  13. 2019Q2 2019Q3 2019Q4 2020Q1 2020Q2 2020Q3 Defaulting cookies to "SameSite=Lax"

    Rolled out in August 2020 Enterprise Opt-outs DevTools warnings. % Experiments. Pushed timeline back to Feb. 2020 due to interoperability concerns w/ Safari. Began rolling out to M80+ Announced intent at I/O. Targeting Sept. 2019. SSO Carveouts Direct Outreach & Measurement 1. Low-percentage rollouts help bring bugs to the surface. Metrics thus gathered are critical. 2. Direct outreach can be an effective (though expensive) migration tool. 3. Good enough is better than perfect. 4. Holidays (and global pandemics) are poor times to schedule a change.
  14. Thanks! [email protected] / @mikewest • Conversations around intents happen in

    public on [email protected]. • Chrome Platform Status has historical information about features. • https://bit.ly/blinkintents extracts intent threads from blink-dev@. • @intenttoship tweets Blink's intents, as well as information about other vendors.
  15. Appendix Photos: Paper Boats on Solid Surface Miguel Á. Padriñán

    Vintage Camillus 1006 Joe Haupt Top View Of Boat On Sea Dominik Reiter Arial View of a Shipwreck Marc Coenen Every day General Grievous adds a unique lightsaber to his collection. Day 66(Finale) Thibson34 Birds-Eye View of Shipping Containers Tom Fisk Shipping Routes Red Black Wikimedia Commons Ship Rope Dock Cargo Skitterphoto