During the summer of 2014 I worked at Google’s Chrome Security Team lead by Paris Tabriz. I was working on usable security issues along with Adrienne Felt, Joel Weinberger and Chris Palmer. I was mainly focusing on Mixed Content Blocking and Chrome Permissions.
In mixed content, I implemented a feature in Chrome that flags a page as having “mixed content” when a secure origin (i.e. loaded over https) is attempting to submit a form to a non-secure origin (submitting to an http page). In Chrome permissions, I was experimenting with a number of ideas on how to make this better from a usable security perspective. My main goal was to “reduce and simplify how permissions, asked by extensions and apps, are presented to the user without reducing the users security and/or privacy”. Currently, the most popular model for asking for permissions is install-time prompt as in the figure below.
These are not effective as they; (i) confusing end users, (ii) are out of context, and (iii) the user has no choice in denying some of them or limiting their access. I worked on experimenting with three main area:
- Improving install-time permission requests.
- Trying to move more permission to be “auditable”.
- Experimenting with “chooser” model for permissions.
I will probably discuss these model further in another blog post.
If you are interested, all the code I wrote while at Google can be found here.
Note: the work discussed here is my personal opinion and doesn’t necessarily reflects Google’s opinions or what is currently being done with Chrome.