Emily Stark

@[email protected]
2.7K Followers
321 Following
179 Posts
Trustworthy 🔑 transport 🚆 for Chrome. HTTPS, certificates, encryption, security UX, software engineering and management, TMI about parenting. Opinions are my own.
Pronounsshe/her
Websitehttps://www.emilymstark.com
Twitter@estark37
Show threadEmily StarkFeb 22, 2024
nb: I am not asking a question for which the answer is “store-now-decrypt-later”, “it’ll take a long time to universally deploy PQC”, or “quantum computers don’t exist and never will”. I think the answer I’m looking for is that “quantum computer is overhyped and people, especially security people, have a natural tendency to push back against hype”.
Show threadEmily StarkFeb 22, 2024
A lotta people misunderstanding my question, so let me rephrase: some people think PQC is a boondoggle because quantum computers that can break modern crypto are so far in the future or even will never exist. But isn’t defending against inconceivably strong attackers the standard of care for cryptography?
Emily StarkFeb 22, 2024
Honest non-snarky question: why do people poo-poo postquantum crypto as an unrealistic attack vector, when it's standard practice to use crypto that is much stronger than any conceivable future attacker? That is, deploying PQC doesn't seem that much sillier than using 10+ rounds for AES vs 7-9, but people seem basically fine being conservative with extra AES rounds?
Emily StarkFeb 10, 2024
More on E2EE apps for the web: is the web really that bad for E2EE compared to mobile/native? And some (IMO) unappreciated challenges in bridging the gaps https://emilymstark.com/2024/02/09/e2ee-on-the-web-is-the-web-really-that-bad.html
E2EE on the web: is the web really that bad?

In my last blog post, I discussed why people often view the web as a uniquely unsuited platform for implementing end-to-end encryption (E2EE). This view is that the web doesn’t offer a long-term trustable notion of what the application is. In that earlier post, I explored the idea of treating the application as untrustworthy and isolating sensitive data from it. In this post, I’m going to pontificate on whether web applications are truly less trustworthy than native applications, especially in an E2EE setting, and if so, how we should bridge the gap. The gap is narrower than it appears at first glance, especially with desktop applications. To close it, though, the devil is in the (UX- and deployment-related) details.

Emily M. Stark
Emily StarkFeb 9, 2024
Drew SchusterFeb 8, 2024
Never click links!!
Also: click this link to learn more
Emily StarkFeb 7, 2024
Adrian TaylorFeb 7, 2024
Chrome Security Q4 update: https://www.chromium.org/Home/chromium-security/quarterly-updates/#q4-2023
Quarterly Updates

Emily StarkOct 16, 2023

This article is validating, both of my belief that my career trajectory would be dramatically worse if (partially) remote work hadn't become an option in the last few years, and of my feeling of being quietly judged whenever I try to explain why that's the case. It's really hard to explain how much working from home helps me function without making it sound like I spend all day shirking work to do childcare and housework.

https://www.nytimes.com/2023/10/10/business/remote-work-effects.html#:~:text=in%20those%20neighborhoods.-,Working%20Women,-For%20decades%2C%20a

"In fields... which welcomed remote work from 2009 to 2019, working mothers’ employment rates increased. There was an almost one-to-one correlation: When remote work rose 2 percent, there was a 2 percent rise in mothers’ employment... While some working women, particularly mothers, might gain from being remote, women tend to see greater penalties when they do so... both men and women were more likely to suspect women than men of shirking work."

What We Know About the Effects of Remote Work

Three years into a mass workplace experiment, we are beginning to understand more about how work from home is reshaping workers’ lives and the economy.

The New York Times
Emily StarkSep 26, 2023
evacideSep 25, 2023

In the year 2023, an Egyptian politician had malware delivered to his phone via MITM when he visited a website that was not using HTTPS.

This is why we must finish encrypting the goddamn web.

Emily StarkSep 26, 2023
serena 🌙Sep 21, 2023
I am become death, destroyer of lock icons
Emily StarkSep 10, 2023
there's been lots of talk lately about bringing E2EE to the web. one idea I've heard here and there is building some kind of isolated frame for isolating plaintext from the (potentially malicious) application code. not promising IMO: https://emilymstark.com/2023/09/09/e2ee-on-the-web-isolating-plaintext.html
E2EE on the web: isolating plaintext

With the publication of Messaging Layer Security (MLS) as an RFC, I’ve been pulled into some recent discussion about bringing end-to-end encryption (E2EE) to the web. This is a topic that comes up every so often and has weirdly haunted me throughout my career. (I spent my undergrad and graduate research years working on cryptography implementations in Javascript and how to use them in applications.)

Emily M. Stark