Adrienne Porter Felt wants your websites to be secure. Her efforts toward this notion have landed her on the Massachusetts Institute of Technology’s Technology Review’s list of 35 top innovators under age 35.
Felt, who earned a bachelor’s degree in computer science from the University of Virginia in 2008, is now a software engineer on Google’s Chrome browser team. She has campaigned for several years for more secure websites, denoted by an “S” in in the address – “HTTPS” – to indicate the site is secure. (“HTTPS” stands for “hypertext transfer protocol secure.”)
“Over time, it’s become clear that web traffic needs to be encrypted to protect people from snooping companies, criminals and even governments,” Felt said. “HTTPS is the first step in providing an encrypted web. Unfortunately, users can’t just opt into it on their own; developers need to convert their websites to support it.”
Felt’s campaign has included reaching out to companies – giving talks, writing documentation, building tools and making changes to Google’s Chrome browser to promote HTTPS.
“Developers have been responding to this by moving to HTTPS,” she said “The community is in a great place right now, with a lot of momentum. Other efforts like Let’s Encrypt, or Cloudflare’s one-click HTTPS setup, have also been extremely significant in pushing HTTPS forward.”
Felt was pleased to be recognized for her work on cybersecurity and hopes this will be an encouragement to others.
“When I was first starting my career, someone warned me against working in usable security,” she said. “He viewed the field as less rigorous than other fields of computer science, because it involves studying humans in addition to working with machines. It almost put me off the topic, but I’m glad it didn’t. Working with humans is a key part of software engineering. Software doesn’t exist in a vacuum – people use it and it affects our lives in significant ways. We need more engineers who are willing to try to understand people.”
This willingness to understand people helps Felt see the flaws in much of the current security defenses. She sees the field moving into defense against “phishing” attacks – that’s when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message or text message in order to gather their personal information.
“Phishing is an incredibly hard problem because it targets the weaknesses in human attention and memory,” she said. “It’s an old, frustrating problem. Thus far, the main approach to stopping phishing has been to train or warn the human. The problem is that there will always be ways to trick people.
“We aren’t going to truly see this problem solved until the authentication and identity space is disrupted and human fallibility is taken out of the system. I’m hopeful that the field is on the cusp of such a disruption; maybe security keys are part of it.”
In Felt’s work on usable security, she investigates how to make security features easier to use.
“In many cases, this means making security features invisible – making them ‘just work’ without needing to tell the human about it,” she said. “In other cases, this means making [user interface] surfaces clearer or more convincing. Recently, I’ve also started working on other parts of the browser, like the Chrome Metrics and Autofill teams.”
Felt is also branching out, expanding her portfolio as she becomes more broadly interested in usability.
“How do we make the internet more accessible for everyone?” she said. “There are 7.5 billion people alive today, with an incredibly broad set of needs, languages and cultural contexts.”
Felt started working in security when she was a second-year engineering student, responding to a request from computer science professor David Evans, who taught the “Program and Data Representation” course. Evans said Felt stood out amongst her peers because of her “well-thought-out answers and meticulous diagrams.”
“For the summer after her second year, she joined a project one of my Ph.D. students was working on to use the disk drive controller to detect malware based on the reads and writes it makes that are visible to the disk,” Evans said. “She did great work on that project, and by the end of the summer was envisioning her own research ideas.
“She came up with the idea of looking at privacy issues in Facebook applications, which, back in 2007, was just emerging, and no one else was yet looking into privacy issues like this.”
Taking Evans’ offer for a research project was a turning point in Felt’s life, showing her something she liked that she could do well.
“It turned out that I really loved it,” she said. “I like working in privacy and security because I enjoy helping people control their digital experiences. I think of it as, ‘I’m professionally paranoid, so that other people don’t need to be.’”
In her final semester as an undergraduate student at UVA, Felt taught a student-led class on web browsers.
“Her work at Google has dramatically changed the way web browsers convey security information to users, making the web safer for everyone,” Evans said. “Her team at Google has been studying deployment of HTTPS, the protocol that allows web clients to securely communicate with servers, and has had fantastic success in improving security of websites worldwide, as well as a carefully designed plan to use browser interfaces to further encourage adoption of secure web protocols.
“Adrienne Felt and her team have also continued to produce highly visible and influential research papers, regularly published in the top academic conferences,” he said.
After graduating from UVA, she continued her studies at the University of California, Berkeley, earning a Ph.D. in computer science.
While Felt’s campaign has been successful in securing many of the large websites on the internet, many small sites are still less secure.
“There are lots and lots of sites that are out there – some that are barely maintained, some that are run by your dentist, your hairdresser, a teacher at a local elementary school – and I don’t see them rushing to add support for HTTPS,” Felt told MIT’s Technology Review. “The question is now, ‘OK, we’ve hit all the really popular sites, we’re starting to get to the medium sites – what do we do for the rest of the internet?’ I don’t want to get in a state where, ‘Oh, great, you’re secure if you go to a big company, but not if you go to a small, independent site.’ Because I still want people to feel like they can go everywhere on the Web.”