Parisa Tabriz, nicknamed “Google’s Security Princess” and the company’s director of engineering, delivered the keynote speech at the Black Hat cybersecurity conference Aug. 8 in Las Vegas, where she discussed issues with the state of cybersecurity.
As cyberattacks loom over our everyday lives, with hackers targeting emails, credit cards and politics, there’s plenty to worry about security-wise. But security should be at the point where tech giants can protect everyone online while they’re casually surfing the web, Tabriz said in an interview on Aug. 7.
Her ultimate goal for Google is to make it so that security is second nature—not something you would have to actively think about to achieve. And that’s up to the internet’s architects to fix, Tabriz noted.
These changes have been happening at Google for the last four years, but you might not have noticed them. Tabriz said Google’s approach has been to incrementally introduce new security features so it could ease people in without confusing them.
What she wants to do is avoid creating “warning fatigue,” which is when a person becomes indifferent to warnings because they’ve popped up so frequently. Over the last four years during this effort, Google has found that people become too confused if they make these changes quickly.
“A lot of security indicators related to HTTPS end up barfing out this ‘error, hey do you understand cryptography? Do you still want to go to where you want to go?’ and people just click through it,” Tabriz said. “We’ve done a lot to make warning messages more comprehensible and to understand what is helpful to users.”
You might have noticed some of these changes in the last two months.
For awhile on Chrome, the browser would show a green lock with “Secure” written next to it to show people they were on a safe page. Tabriz said Google decided to get rid of it because it wanted security to be the default assumption, and slapping a label would just make it stand out more.
That’s also why in July, Chrome started showing “Not Secure” in the browser if you visited a website that did not offer HTTPS protection.
But there’s only so much Google can do on its own. For the internet to reach Tabriz’s goal, she said all tech giants would have to pitch in. She mentioned that Google partnered with Mozilla to push for HTTPS adoption, as well as Let’s Encrypt to help make sure the websites you’re visiting are secure.
“It’s not OK if just Facebook and Google are just on HTTPS,” Tabriz said. “Even if it’s just an individual blog, you still want to have confidence that people reading your blog are actually getting the real content and it’s not being tampered with by your ISP.”