Here are some random things I have written in other places, and presentations I’ve given.
Emily Schechter and I gave a talk at Google I/O 2018: Lessons from Spectre and Meltdown, and how the whole web is getting safer. It’s also on YouTube. As a follow-up to this, I and the Chrome Security Team have also written a document about our approach to side-channel attacks.
“Prefer Secure Origins For Powerful New Features”. If the web is an application platform, code should be signed. Written with much help from my colleagues on the Chrome engineering team. This has since morphed into the W3C Privileged Contexts spec, by Mike West and Yan Zhu.
I proposed that web browsers affirmatively mark non-secure origins as non-secure.
I presented TLS All the Things! — Security With Performance at the Chrome Dev Summit 2014.
With the Chrome Security Team, I help maintain the Chromium Security FAQ.
“Security With HTTPS” on the Google Web Fundamentals site.
“How to Deploy HTTPS Correctly”. This has since been ably updated by Yan Zhu and others.
“Secure Session Management With Cookies for Web Applications” (local copy). There’s a few things I’d change, now...