Emily Stark

HTTPS by default One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secu...

One year from now, Chrome will enable "Always Use Secure Connections" and warn users before plaintext HTTP by default.

Chrome has published version 1.6 of their root store policy.

Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.

TLS client cert users from public CAs may need to make changes.

www.chromium.org/Home/chromiu...

Available at aftercare pickup alongside info about district protocols for immigration enforcement. This school district understood the assignment 💜

Good news, from @mozilla and @risksahead! "New ETSI draft standard on QWACs is good news for safety of European internet users"

A Message from Superintendent Baker Message from Superintendent Dr. John Baker: Dear RCSD Community, Our mission, vision, and values drive the work we do every day in...

Behold, a rare, endangered specimen: a goddamn spine secure.smore.com/n/x03zs-a-me...

I am convinced 99% of websites should use magic links + passkeys.

It bypasses all (debatable) portability objections to passkeys, it’s at least as secure as email-based recovery, as fast as a password manager, it’s available to all users… and importantly, no passwords!

WebKit Features in Safari 18.2 Today marks the arrival of Safari 18.2.

Safari 18.2 released 3 days ago has HTTPS-first/by-default mode:

"Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP."
webkit.org/blog/16301/w...

TIL: quokka

periods are such unbelievable bullshit

facebook error

netflix error

okta error

whatsapp error

Handling Cookies is a Minefield:

Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

grayduck.mn/2024/11/21/h...

Atomic Age style poster of a man on a laptop in a coffee shop using public wi-fi. The coffee cup says Wi-Fi.

Some thoughts on the quiet HTTPS revolution:
medium.com/@boblord/the...

🔐

Tag on a children’s jacket showing multiple lines to write names, where each name can be removed once the jacket is handed down to another child

Tiny, impeccable design detail: this children’s jacket is designed to be a hand-me-down

I caught a full vomit into my hands tonight without a single drop hitting the couch, so maybe I do qualify as a medical professional after all

YouTube video by purplecon "🙋❓🙋 why❓🤔 chrome 🌐 🙅🚫 removed 🚫🙅 the 🔒 lock 😮 icon 🤷🤷" - serena chen (purplecon 2024)

My colleague @serena.nz gave an amazing PurpleCon talk describing the behind-the-scenes experience of removing the (in?)famous lock icon from Chrome: www.youtube.com/watch?v=iUAx...

One day I aspire to get as many laughs during a talk as a 90s sitcom laugh track 🤩

Could you please remove me? I’m not a medical professional

ha, very true :)

I seem to have gotten added to some medical starter packs for some reason. If you're following me for medical stuff, sorry, wrong person! Feel free to stick around if you want to answer my random medical questions every time one of my children brings home some weird virus from school.

Bold of you to assume I still haven’t seen Heathers after not asking me whether I’ve seen Heathers yet in at least… 3 years?

(I still haven’t seen Heathers. Back to Twitter I go, I guess…)

Ok so I guess we’re all doing this app now?

We’ve now established a pattern where Go is the first non-browser stack to implement new TLS features, so we flush out all the bugs Chrome didn’t hit.

Today it’s tldr.fail. PQ shares were already default in Chrome, but Go 1.23 is surfacing new broken middleboxes.

Last time it was X.509 SANs.

Somehow on this vacation I’ve ended up in a chicken coop with Ron Rivest’s grandkids

I don’t suppose the meal is a nice breakfast waiting for you when you get up in the morning?

one of these days I’m going to livetweet my night because it might be the only way to convey how ridiculous nights are in my house. I haven’t even gone to bed yet and kids have woken up a combined total of 4 times already

I’m on an infinite loop of forgetting where my coffee is and finding it in the microwave

also CAA. but, I think this is subtle; it seems easy for people to go to the other extreme and misunderstand CT to be way more than it is. and it is still true that each CA is still a weak link, just a lot less weak than before

if I were a baby I would simply not vomit all over my mom’s bed at 1am

What are the most effective nonprofit orgs working against gun violence / for gun control?

kudos to @dadrian.io for the simpsons reference and to our marketing team for not editing it out

If you, like me, dislike when tiny icons lead to large misconceptions about security, you will be happy to hear that the lock icon in Chrome is going away. Come for the browser security UI news, stay for the perfect Simpson's reference: https://blog.chromium.org/2023/05/an-update-on-lock-icon.html

I have to think on that a bit but doing DV 2x might actually make sense. MTC CAs might be a different policy regime than traditional CAs, e.g. different set of allowed DV methods