The next time you open up Google’s Chrome Web browser, take a look at the little green icon that appears in the left corner of the URL bar whenever you’re on a secure website. It’s a lock, and if it’s green it signals that the website you’re on is encrypting data as it flows between you and the site. But not everyone knows what it is or what it represents, and that’s where Adrienne Felt comes in.
As a software engineer for Chrome, Felt has taken on the task of making the Internet more secure and helping users of the world’s most popular browser make smart, informed choices about their safety and privacy while online. This includes heading a years-long push to convince the world’s websites, which traditionally used the unencrypted HTTP to send data from one point to another, to switch to the secure version, HTTPS.
Why is it tricky to come up with online security measures that work for all kinds of people?
Part of it is that security measures generally stop people from doing things. The way we keep you safe is by telling you no. But this has very real costs. You can scare people … you can keep people from using the Internet at all. On the other hand, if you don’t do anything you put people and their data at very real risk. So you have to figure out how to strike just the right balance. And with multiple billion users it’s very difficult to find a balance that makes everyone happy.
One way you are trying to make people safer while they’re online is by encouraging websites to use HTTPS. What makes this a complicated process?
Think about a site like the Washington Post. When you go to the Washington Post’s home page, there’s going to be 100 different [assets from various websites] that are loaded. All of those have to support HTTPS before the Washington Post itself can do it. Sites need to make sure there’s no revenue hit, they need to make sure there’s no [search] ranking hit, they need to make sure there’s no performance hit. And then they can switch. All these things can be done. Sites are transitioning very successfully at scale now. But it is work.
Now that many of the biggest websites have made the switch from HTTP to HTTPS, what are you focusing on?
The long tail is a big problem. There are lots and lots of sites that are out there. Some that are barely maintained, some that are run by your dentist, your hairdresser, a teacher at a local elementary school, and I don’t see them rushing to add support for HTTPS. The question is now, “Okay, we’ve hit all the really popular sites, we’re starting to get to the medium sites—what do we do for the rest of the Internet?” I don’t want to get in a state where oh, great, you’re secure if you go to a big company but not if you go to a small, independent site. Because I still want people to feel like they can go everywhere on the Web.