Artur Janc, Staff Information Security Engineer, Google
The web has become the world's most successful application ecosystem: it powers millions of applications, many of which hold some of our most sensitive data, and is used daily by billions of users. At the same time, the evolution of the web from a collection of hyperlinked documents into what it is today has left it with fundamental, endemic security problems, which threaten to undermine its basic security and privacy guarantees.
In this talk, we'll start by walking through these problems: we'll show how the combination of insecure defaults and little-known platform quirks makes it all but impossible for non-experts to write secure applications; how long-standing web features have continued to allow attackers to leak sensitive application data with no recourse on part of web authors; and how our cherished high-level abstractions such as the same-origin policy crumble in the face of microarchitectural side-channels and related information leaks enabled by the introduction of powerful new APIs into the web platform.
We'll then recognize that we can no longer turn a blind eye towards these transgressions and that we desperately need a concerted effort to save the web from crumbling under its own weight. We'll outline the work that needs to happen to address the most pressing problems of the ecosystem; this includes building powerful new opt-in features to protect against endemic web vulnerability classes, removing dangerous legacy behaviors to reduce the web's attack surface, and investing more time into proactive reviews and research of new platform features which alter the web's security model.
This work will require strong collaboration between application authors, browser vendors and the academic community; it will be hard and thankless. However, if tackle these problems, we will allow the next generation of developers to finally build secure applications without requiring a myriad of costly application-specific workarounds, making the web platform and users' data safe for the coming decades.
Artur Janc is a Staff Information Security Engineer at Google, managing a team responsible for proactive efforts to improve application security across the Google ecosystem, including designing, reviewing and deploying web platform security mechanisms. Artur holds an M.Sc. in Computer Science from Worcester Polytechnic Institute where he also earned bachelor's degrees in Computer Science and Electrical and Computer Engineering, and a minor in Spanish.
USENIX Security '19 Open Access Videos Sponsored by
King Abdullah University of Science and Technology (KAUST)