In no particular order.
We need to move the web security debate from “Why should web sites use HTTPS?” to “Now that we have HTTPS everywhere, with strong ciphersuites and publicly audited authentication, can we do anything in TLS, SPDY, QUIC, HTTP, HTTP/2, or in the content layer, to defend against traffic analysis?” HTTPS provides only weak or minimal confidentiality in what page the client the client is reading when the pages and the resources it includes are public. Additionally, plaintext IP packets, plaintext DNS requests and responses, and the plaintext in the TLS handshake reveal the network identities of clients and servers. (Tor seeks to solve as much of that problem as it can, but it’s not performant enough for everyday browsing by billions of people.)
The answer might be “no, there’s nothing we can do about that”, but we need to start asking that kind of question.
As part of that overall task, I’d like to make the Origin Info Bubble in Chrome a first-class UX control: meaningful and empowering. Currently it could use some improvement; here’s the OIB on desktop Chrome:
I would like to make the OIB easy to use:
The more application-like web origins become, the more they need to be securely transported and subject to the control of their users.
I’ve started a book on security engineering problems and solutions. I have an outline and the beginnings of a first chapter now, but in Q1 I am going to take a significant chunk of time off to lay down the kernel of the book and finish some chapters. Hopefully I can finish it in my copious free time during the rest of the year. Ha, ha.
Currently planned topics include: Serialization And Deserialization; Type Systems; Language-Theoretic Security, IPC, RPC, And Distibuted Computing; and User Interfaces.
I’ve written about this before, and we still need to get software up to a a bare minimum quality standard. In particular, I want to help develop an easy-to-use, general-purpose ceremony for people to authenticate “internet of things” devices. The Web PKI can’t work for such things, because the devices are not publicly name-able or addressible (...hopefully), and because the Web PKI has a non-zero set-up cost.