Here are some random things I have written in other places. These are in no particular order, which I suppose I should try to fix at some point.
I helped out a little bit with Felt, et al.’s USENIX 2017 paper “Measuring HTTPS Adoption On The Web” (local copy).
A review of Distrust That Particular Flavor by William Gibson on io9.
“Secure Session Management With Cookies for Web Applications” (local copy). There’s a few things I’d change, now...
“How to Deploy HTTPS Correctly”. This has since been ably updated by Yan Zhu and others.
“Prefer Secure Origins For Powerful New Features”. If the web is an application platform, code should be signed. Written with much help from my colleagues on the Chrome engineering team. This has since morphed into the W3C Privileged Contexts spec, by Mike West and Yan Zhu.
I maintain the Chromium Security FAQ, with help from my Chrome Security colleagues.
I proposed that web browsers affirmatively mark non-secure origins as non-secure.
TLS All the Things! — Security With Performance — Chrome Dev Summit 2014
“Security With HTTPS” on the Google Web Fundamentals site.
“High Performance, Low Cost, and Strong Security: Pick Any Three” (local copy), a presentation I gave at the O’Reilly Web 2.0 Expo 2009 conference.