Home / Information Security / My time at Google’s Chrome Security Team

My time at Google’s Chrome Security Team

During the summer of 2014 I worked at Google’s Chrome Security Team lead by Paris Tabriz. I was working on usable security issues along with Adrienne Felt, Joel Weinberger and Chris Palmer. I was mainly focusing on Mixed Content Blocking and Chrome Permissions.

In mixed content, I implemented a feature in Chrome that flags a page as having “mixed content” when a secure origin (i.e. loaded over https) is attempting to submit a form to a non-secure origin (submitting to an http page). In Chrome permissions, I was experimenting with a number of ideas on how to make this better from a usable security perspective. My main goal was to “reduce and simplify how permissions, asked by extensions and apps, are presented to the user without reducing the users security and/or privacy”. Currently, the most popular model for asking for permissions is install-time prompt as in the figure below.

Image source: developer.chrome.com
Image source: developer.chrome.com

These are not effective as they; (i) confusing end users, (ii) are out of context, and (iii) the user has no choice in denying some of them or limiting their access. I worked on experimenting with three main area:

  1. Improving install-time permission requests.
  2. Trying to move more permission to be “auditable”.
  3. Experimenting with “chooser” model for permissions.

I will probably discuss these model further in another blog post.

If you are interested, all the code I wrote while at Google can be found here.

Note: the work discussed here is my personal opinion and doesn’t necessarily reflects Google’s opinions or what is currently being done with Chrome.

Leave a Reply

Your email address will not be published. Required fields are marked *