Google being Google, it does have a lot of resources available, which is especially beneficial when it comes to threat intelligence and being able to experiment at scale.
"HTTP2, that was something that grew out of an experiment at scale," said Schuh.
Despite all of those available resources, they still come under friendly fire, which Schuh said is the invasive and unsafe stuff that gets bundled in or injected from browser plugins, OEM value adds, CERT authorities, and antivirus and other security products.
What's so bad about them? Schuh asked. "They are breaking security expectations. These things are breaking your expectations on their way to introducing the most vulnerabilities they can."
These third-party capabilities, including NPAPI plugins, are invasive and fundamentally unsafe, said Schuh. "It's not really an API but an organic growth of leaky platforms. It's a bundle of purely native code that operates outside of the browser constraints making it effectively impossible to sandbox."
Given that the exchange of communications across the internet depends on every certificate authority being secure, relying on the CA to enforce the connection between the website and the browser also causes major headaches for security engineers.
"The system itself has no way of tying a cert to a specific CA, yet there are literally thousands of intermediary CAs. Any one of them can effectively be bypassed," Schuh said.
Schuh's deepest loathing, though, is the dreaded antivirus. Antivirus is what drives Schuh to vent on Twitter, he joked. Specifically, he shared the anecdote of an issue incurred with the antivirus man-in-the-middle cert, which uses weak hash algorithms.
"There was this huge spike in HTTPS errors, and clients couldn't talk to to secure sites anymore," Schuh said. When he contacted the antivirus vendor, no one was familiar with the code. "Someone suggested that it might have been written by an intern a couple years ago."
These are the frustrating security issues that challenge even the most experienced and educated engineering teams. After some time, one of their engineers anted up, said Schuh. They pushed out a fix to an old program, but they were still getting those elevated errors.
"Only the paying customers got the updates," Schuh said. "The non-paying customers get the broken TLS. If you are no longer a paying customer but you have this thing installed," Schuh mused to make the point that these security challenges are issues that can potentially compromise security when dealing with the good guys.
"They all fixed the outdated and vulnerable code," said Schuh, but more to the point, "Even the best behaved products have no support for enhanced nets like HPKP. They are just expected to provide grossly inferior security."
Sign up for Computerworld eNewsletters.