Here are some random things I have written in other places. These are in no particular order, which I suppose I should try to fix at some point.
Emily Schechter and I gave a talk at Google I/O 2018: Lessons from Spectre and Meltdown, and how the whole web is getting safer. It’s also on YouTube. As a follow-up to this, I and the Chrome Security Team have also written a document about our approach to side-channel attacks.
“Secure Session Management With Cookies for Web Applications” (local copy). There’s a few things I’d change, now...
“How to Deploy HTTPS Correctly”. This has since been ably updated by Yan Zhu and others.
“Prefer Secure Origins For Powerful New Features”. If the web is an application platform, code should be signed. Written with much help from my colleagues on the Chrome engineering team. This has since morphed into the W3C Privileged Contexts spec, by Mike West and Yan Zhu.
With the Chrome Security Team, I help maintain the Chromium Security FAQ.
I proposed that web browsers affirmatively mark non-secure origins as non-secure.
I presented TLS All the Things! — Security With Performance at the Chrome Dev Summit 2014.
“Security With HTTPS” on the Google Web Fundamentals site.