The Dirty Laundry of the Web PKI

Note: Presentation times are in Pacific Standard Time (PST).

Tuesday, January 24, 2023 - 4:10 pm4:40 pm

Emily Stark, Google

Abstract: 

When you type “https://example.com” in your web browser, how do you know that you’re establishing a secure connection to the real example.com? This question is foundational to the web security model, and the answer rests in the web public key infrastructure (PKI). In the web PKI, trusted certificate authorities (CAs) issue certificates that authenticate websites. Sadly, the web PKI – which is so foundational to the communication, collaboration, commerce, and cat memes that we all use the web for everyday – is shockingly antiquated, overcomplicated, and crufty. In this talk, I’ll describe some icky inner secrets of how the web PKI works, exposing the fragile security infrastructure on which the web is built. I’ll also outline some properties that we should try to achieve in a leaner next-generation server authentication model for the web.

Emily Stark, Google

Emily is a software engineer and manager working on the Google Chrome web browser. She leads Chrome’s secure transport team, which provides a foundation of trustworthy, understandable encrypted and authenticated connections for the web. She works on HTTPS adoption, certificate verification, ecosystem improvements like Certificate Transparency, the TLS stack, and connection security UX (such as site identity in the address bar and certificate warnings). She also leads a cross-functional team of usable security experts who provide consulting and security reviews across Chrome. Emily holds a bachelor’s degree from Stanford University and a master’s degree from MIT, both in computer science.
BibTeX
@conference {285609,
author = {Emily Stark},
title = {The Dirty Laundry of the Web {PKI}},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan,
}