Justin Schuh 😷 Profile picture
Washed up never-was. Couldn't even rate as a has-been. https://t.co/OCgmnUH7hr
30 Jul
This article provides quite the catalog of accumulating damage that Safari has done to the Open Web over many years, but at the same time the perspective of the author misses some key points (and I think that last part needs some digging into). [1/12] httptoolkit.tech/blog/safari-is…
The post has a strong subtext of "Google is bad, therefore anything anti-Google is good." That's a dangerous bias that's demonstrated even more strongly in many responses to the post—particularly this one from Marcos (former Mozillan and current W3C Standards Engineer). [2/12]
But the truth is that companies are mostly amoral entities that are best viewed systemically, in terms of their incentives. Google hasn't been a perfect ally to the Web, but Google's incentives do align far better than Apple's ongoing opposition. [3/12]
Read 13 tweets
26 Apr
I've been thinking a lot about the tougher interpersonal dynamics from my old career, and wanted to share some lessons learned. That's not to claim I'm great at any of this (most of it was learned from failures), but maybe it's helpful, and not just self indulgent platitudes.
1. Compromise, but not on your reputation—or worse—your integrity. I spent a career navigating complex tradeoffs and rarely got the exact outcomes I wanted, but I made progress on what I believed in and never put my effort or name behind anything that conflicted with my values.
2. Don't drink the Kool-Aid™. Be honest in assessing your side's decisions and motivations—and build team cultures that encourage introspection. Don't assume that you're in the right—or will be perceived as such—because that path leads to misguided zealotry and appeals to spite.
Read 9 tweets
9 Apr
This response raises a whole lot more questions than it answers, particularly given the ostensible framing of 1P versus 3P data access. Let's cover the specifics of why this matters, and think about a fair transparency bar for systems like this. [1/10]
First, it's disingenuous to claim this is 1P when Apple's Advertising Platform is designed to integrate with 3P content—i.e. most categories listed are clearly 3P interactions. Framing that as 1P is akin to claiming any site in a browser is 1P if you made the browser. 🤯 [2/10]
That stated, privacy-preserving 3P data handling is the whole point of these systems. So let's just move past the framing, and see what we can glean based on the publicly available data. Specifically, what does the system look like, how are guarantees enforced, etc? [3/10]
Read 11 tweets
9 Apr
I'm seeing something of a "sandboxing is dead" narrative popping up in light of new real-world attacks and growing interest in memory-safe development approaches (e.g. Rust). This framing seems inherently contradictory to me, and I would like to explain why. 1/9
First, it's important to understand that sandboxing is an architectural approach to security (rather than a specific technology). It entails decomposing a system into its security-relevant functions/capabilities, and isolating those components via strong security primitives. 2/9
This old post covers the idea broadly, but put more directly, the goal in isolating components is to contain a compromise in any one part of the system, such that it doesn't affect the integrity of the rest of the system. 3/9 medium.com/@justin.schuh/…
Read 9 tweets
24 Mar
Were you aware that no major browser provides *default* end-to-end encryption (E2EE) for sync data (history, bookmarks, etc.)? There are good reasons why, but I recently learned that many people—even in security & privacy—have serious misconceptions about all of this [1/9]
First, a cardinal rule of E2EE is that both the plaintext data and the private/shared keys must not be exposed to any intermediaries in the communication path. However, no browser protects both the sync data and the key material from its server by default… [2/9]
Let's start with Chrome and Edge (Chromium). By default, sync data is not E2EE encrypted. E2EE is available as an option—by enabling a custom passphrase, which generates a client-bound key—but that's not the default mode. (I'll get to the "why" later…) [3/9]
Read 11 tweets
7 Dec 18
The whole "Chrome is the new IE6" argument is objectively wrong, and really the worst kind of FUD. So, I'm going to try to put it to rest by providing some relevant history, and calling out just how much Chrome differs from IE6. [1/8]
By the turn of the century IE had captured the Web ecosystem. And with IE6 Microsoft stopped development—stalling the Web. Meanwhile, potential competitors faced the prohibitive technical barrier of building a compliant implementation of a massive, closed source product. [2/8]
In the end it took 5+ years of Microsoft standing still and ignoring the Web (with IE in maintenance mode) before Mozilla's Firefox and later Apple's Safari were able to offer credible alternatives to IE's dominance. (Don't @ me Opera users.) [3/8]
Read 8 tweets