Emily Stark
@estark.bsky.social
Encryption, HTTPS, certificates, web security, security UX, software engineering and management, TMI about parenting. Opinions are my own.
Reposted by Emily Stark
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
HTTPS by default
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...
security.googleblog.com
October 28, 2025 at 5:27 PM
One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.
Reposted by Emily Stark
Chrome has published version 1.6 of their root store policy.
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Chrome Root Program Policy, Version 1.6
www.chromium.org
February 14, 2025 at 10:02 PM
Chrome has published version 1.6 of their root store policy.
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Available at aftercare pickup alongside info about district protocols for immigration enforcement. This school district understood the assignment 💜
January 24, 2025 at 6:00 AM
Available at aftercare pickup alongside info about district protocols for immigration enforcement. This school district understood the assignment 💜
Reposted by Emily Stark
Good news, from @mozilla and @risksahead! "New ETSI draft standard on QWACs is good news for safety of European internet users"
securityriskahead.eu
January 23, 2025 at 3:15 PM
Good news, from @mozilla and @risksahead! "New ETSI draft standard on QWACs is good news for safety of European internet users"
Behold, a rare, endangered specimen: a goddamn spine secure.smore.com/n/x03zs-a-me...
A Message from Superintendent Baker
Message from Superintendent Dr. John Baker: Dear RCSD Community, Our mission, vision, and values drive the work we do every day in...
secure.smore.com
January 23, 2025 at 7:36 AM
Behold, a rare, endangered specimen: a goddamn spine secure.smore.com/n/x03zs-a-me...
Reposted by Emily Stark
I am convinced 99% of websites should use magic links + passkeys.
It bypasses all (debatable) portability objections to passkeys, it’s at least as secure as email-based recovery, as fast as a password manager, it’s available to all users… and importantly, no passwords!
It bypasses all (debatable) portability objections to passkeys, it’s at least as secure as email-based recovery, as fast as a password manager, it’s available to all users… and importantly, no passwords!
I wrote about how magic links (emailed one-time login links) frustrate me while explaining that they radically accept some fundamental truths. I argue that websites should layer passkeys on top of magic links to provide a seamless authentication experience for everyone. rmondello.com/2025/01/02/m...
Ricky Mondello » Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over
rmondello.com
January 2, 2025 at 3:26 PM
I am convinced 99% of websites should use magic links + passkeys.
It bypasses all (debatable) portability objections to passkeys, it’s at least as secure as email-based recovery, as fast as a password manager, it’s available to all users… and importantly, no passwords!
It bypasses all (debatable) portability objections to passkeys, it’s at least as secure as email-based recovery, as fast as a password manager, it’s available to all users… and importantly, no passwords!
Reposted by Emily Stark
Safari 18.2 released 3 days ago has HTTPS-first/by-default mode:
"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...
"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...
WebKit Features in Safari 18.2
Today marks the arrival of Safari 18.2.
webkit.org
December 12, 2024 at 3:45 AM
Safari 18.2 released 3 days ago has HTTPS-first/by-default mode:
"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...
"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...
Reposted by Emily Stark
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
November 21, 2024 at 5:11 PM
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Reposted by Emily Stark
November 17, 2024 at 4:30 AM
Tiny, impeccable design detail: this children’s jacket is designed to be a hand-me-down
November 16, 2024 at 7:34 PM
Tiny, impeccable design detail: this children’s jacket is designed to be a hand-me-down
I caught a full vomit into my hands tonight without a single drop hitting the couch, so maybe I do qualify as a medical professional after all
I seem to have gotten added to some medical starter packs for some reason. If you're following me for medical stuff, sorry, wrong person! Feel free to stick around if you want to answer my random medical questions every time one of my children brings home some weird virus from school.
November 15, 2024 at 5:50 AM
I caught a full vomit into my hands tonight without a single drop hitting the couch, so maybe I do qualify as a medical professional after all
My colleague @serena.nz gave an amazing PurpleCon talk describing the behind-the-scenes experience of removing the (in?)famous lock icon from Chrome: www.youtube.com/watch?v=iUAx...
One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track 🤩
One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track 🤩
"🙋❓🙋 why❓🤔 chrome 🌐 🙅🚫 removed 🚫🙅 the 🔒 lock 😮 icon 🤷🤷" - serena chen (purplecon 2024)
YouTube video by purplecon
www.youtube.com
November 15, 2024 at 12:32 AM
My colleague @serena.nz gave an amazing PurpleCon talk describing the behind-the-scenes experience of removing the (in?)famous lock icon from Chrome: www.youtube.com/watch?v=iUAx...
One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track 🤩
One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track 🤩
I seem to have gotten added to some medical starter packs for some reason. If you're following me for medical stuff, sorry, wrong person! Feel free to stick around if you want to answer my random medical questions every time one of my children brings home some weird virus from school.
November 9, 2024 at 7:56 PM
I seem to have gotten added to some medical starter packs for some reason. If you're following me for medical stuff, sorry, wrong person! Feel free to stick around if you want to answer my random medical questions every time one of my children brings home some weird virus from school.
Ok so I guess we’re all doing this app now?
November 1, 2024 at 2:43 PM
Ok so I guess we’re all doing this app now?
Reposted by Emily Stark
We’ve now established a pattern where Go is the first non-browser stack to implement new TLS features, so we flush out all the bugs Chrome didn’t hit.
Today it’s tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.
Last time it was X.509 SANs.
Today it’s tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.
Last time it was X.509 SANs.
The migration to post-quantum cryptography is being held back by buggy servers that do not correctly implement TLS. Due to a bug, these servers reject connections that use post-quantum-secure cryptography, instead of negotiating classical cryptography if they do not support post-quantum cryptography.
tldr.fail
November 1, 2024 at 1:03 PM
We’ve now established a pattern where Go is the first non-browser stack to implement new TLS features, so we flush out all the bugs Chrome didn’t hit.
Today it’s tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.
Last time it was X.509 SANs.
Today it’s tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.
Last time it was X.509 SANs.
Somehow on this vacation I’ve ended up in a chicken coop with Ron Rivest’s grandkids
July 4, 2023 at 6:15 PM
Somehow on this vacation I’ve ended up in a chicken coop with Ron Rivest’s grandkids
one of these days I’m going to livetweet my night because it might be the only way to convey how ridiculous nights are in my house. I haven’t even gone to bed yet and kids have woken up a combined total of 4 times already
June 28, 2023 at 6:36 AM
one of these days I’m going to livetweet my night because it might be the only way to convey how ridiculous nights are in my house. I haven’t even gone to bed yet and kids have woken up a combined total of 4 times already
I’m on an infinite loop of forgetting where my coffee is and finding it in the microwave
June 26, 2023 at 3:22 PM
I’m on an infinite loop of forgetting where my coffee is and finding it in the microwave
if I were a baby I would simply not vomit all over my mom’s bed at 1am
May 18, 2023 at 3:42 PM
if I were a baby I would simply not vomit all over my mom’s bed at 1am
What are the most effective nonprofit orgs working against gun violence / for gun control?
May 15, 2023 at 8:47 PM
What are the most effective nonprofit orgs working against gun violence / for gun control?
If you, like me, dislike when tiny icons lead to large misconceptions about security, you will be happy to hear that the lock icon in Chrome is going away. Come for the browser security UI news, stay for the perfect Simpson's reference: https://blog.chromium.org/2023/05/an-update-on-lock-icon.html
May 2, 2023 at 6:56 PM
If you, like me, dislike when tiny icons lead to large misconceptions about security, you will be happy to hear that the lock icon in Chrome is going away. Come for the browser security UI news, stay for the perfect Simpson's reference: https://blog.chromium.org/2023/05/an-update-on-lock-icon.html
the (very early stage) draft is worth a read if you haven't already: https://www.ietf.org/id/draft-davidben-tls-merkle-tree-certs-00.html
the idea is to store domain name<->public key bindings in a Merkle tree, mirrored by browser vendors or other designated entities to clients and... (1/n)
the idea is to store domain name<->public key bindings in a Merkle tree, mirrored by browser vendors or other designated entities to clients and... (1/n)
I'm incredibly excited about the prospect of Merkel Tree Certificates, and look forward to working with the Chrome team on experimental support in the future!
Chrome Security Q1 update! https://www.chromium.org/Home/chromium-security/quarterly-updates/
May 1, 2023 at 11:13 PM
the (very early stage) draft is worth a read if you haven't already: https://www.ietf.org/id/draft-davidben-tls-merkle-tree-certs-00.html
the idea is to store domain name<->public key bindings in a Merkle tree, mirrored by browser vendors or other designated entities to clients and... (1/n)
the idea is to store domain name<->public key bindings in a Merkle tree, mirrored by browser vendors or other designated entities to clients and... (1/n)
Chrome Security Q1 update! https://www.chromium.org/Home/chromium-security/quarterly-updates/
May 1, 2023 at 7:12 PM
Chrome Security Q1 update! https://www.chromium.org/Home/chromium-security/quarterly-updates/
Reposted by Emily Stark
It’s the end of OCSP as we know it, and I feel fine! https://lists.cabforum.org/pipermail/servercert-wg/2023-April/003685.html
[Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”
lists.cabforum.org
April 27, 2023 at 2:29 PM
It’s the end of OCSP as we know it, and I feel fine! https://lists.cabforum.org/pipermail/servercert-wg/2023-April/003685.html