Google Chrome browser security chief slams Trump travel ban

Parisa Tabriz says Donald Trump’s travel ban has caused confusion.
The Australian
Chris Griffith, Technology reporter Sydney
Friday, February 17, 2017

Go to Chrome is 10 million lines of C++ code and we have people contributing...

Google’s ‘browser boss’ Parisa Tabriz yesterday criticised the Trump administration’s three-month ban on immigrants from seven countries entering the US. In an exclusive interview during a three-day visit to Australia, Ms Tabriz, 33, was asked about the ban imposed by US President Donald Trump. She said it was disturbing and shortsighted, and urged the president rethink it.

As a security professional, Ms Tabriz’s leads a global team whose job is to hack Chrome, uncover its security vulnerabilities, and fix them. They are known as ‘white hat’ hackers, the good guys who hack to benefit, rather than harm, humankind. Her concern aligns with that of Google, which employs staff from around the globe and is among several major technology firms fighting the travel ban in the courts. The ban also affects green card holders and workers on visas.

Her father, a doctor, is an Iranian immigrant, and Iran is one of the affected countries. She said the ban had affected her friends and family friends. “I think it’s really disturbing,” Ms Tabriz told The Australian while in Sydney yesterday. “Even as a security professional, I don’t think I understand the reasoning behind the order.”

And it was shortsighted. She wouldn’t be working with Google had her father not migrated from Iran. “I’d like to think I had contributed to the US with Google in terms of improving security.” Outside of Google, she also had helped her country by working with the Obama administration to secure government services. “(The order) seems to have caused more confusion than help. It’s affected people in my team, it’s had an impact on friends and family friends, either who have parents in Iran who wanted to visit the US or who are on visas and not able to freely travel for fear of not being able to come back. There’s one colleague I have in the (San Francisco) Bay area who was planning to get married and her husband would have flown to San Francisco. He’s Iranian. So their wedding is on hold.”

At Google, Ms Tabriz has used the title “security princess” and now is known as “browser boss”. She said a title such as “information security engineer was not very meaningful”, and hard to remember. She is in Australia to recruit staff to her team. Currently it contains about 50 white hat hackers — fulltime Google employees who are based at Google HQ at Mountain View, San Francisco, Seattle, Sydney and Munich.

Google also runs a vulnerability reward program that offers a bounty to outsiders who discover flaws, paying from $US500 ($650) to $US100,000. It’s paid out more than $US9 million to more than 1000 people in 59 countries since 2010, and paid the full $US100,000 to a hacker last year.

But why so many flaws? Why not distribute software that’s bug-free in the first place?

Ms Tabriz said that was an impossible ask. “Chrome is 10 million lines of C++ code, and we have people contributing changes and adding new features to it around the world. That’s a lot of people making changes at once. Any punctuation error is potentially a bug,” she said. “I think the launch and iterate model at Google is really important. If you do wait until it’s perfectly secure, you’ll never ship anything.”

She also wants the world to move to encrypted browsing using ‘HTTPS’ rather than unencrypted ‘HTTP’. “A lot of people thought it (HTTPS) is only for banks or it’s only for where I use my credit card, but the reality is that without HTTPS you can have no security or privacy guaranteed between what you’re using on your computer and the sites you are visiting. There’s a lot of people in between. I would like the web to be by default HTTPS.”

Google last year published a transparency report which showed that less than 50 per cent of the top 100 sites use HTTPS. Ms Tabriz is proud that, with the increased awareness, that figure is now more than 50 per cent with 12 more of the world’s top 100 sites changing their default address to HTTPS. She’s aiming for it to be 100 per cent. Google has a plan to label insecure HTTP sites more clearly as “non-secure” and will effect this gradually. Last month it began labelling bank and credit card sites using old HTTP in this way. “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” Google says in its report.

** End of article