When someone decides to ignore an HTTPS error warning, how long should the browser remember that decision? If they return to the website in five minutes, an hour, a day, or a week, should the browser show them the warning again or respect their previous decision? Different web browsers have very different policies, and it’s not obvious what the right solution is. We evaluated six storage policies with a large-scale, multi-month field experiment. We found substantial differences between the policies and that one of the storage policies achieved more of our goals than the rest. In this talk, we’ll discuss the design, execution, and results of this experiment, and the impact of real science and experimentation in software engineering.
Joel Weinberger is a software engineer at Google on the Chrome security team. He received his Ph.D. in computer science from the University of California, Berkeley in 2012.