WEBVTT

00:00.000 --> 00:10.920
So I'm here to talk about the Cyber Resilience Act and web browsers and here we have the

00:10.920 --> 00:18.120
beautiful Etsy slide template I'll tell you soon what what Etsy is and how this relates

00:18.120 --> 00:24.880
but first let's start with the Cyber Resilience Act so this is a law or in European

00:24.880 --> 00:31.680
terms it's a regulation meaning that it's a strong kind of directly applicable law that

00:31.680 --> 00:39.720
regulates products with digital elements. Well if you have commercial software this is

00:39.720 --> 00:46.120
something potentially relevant for you. The Cyber Resilience Act is really good it says

00:46.120 --> 00:54.360
finally software has to be secure and it does this through these requirements that are

00:54.440 --> 01:01.400
written in annex one so you know there's there's a lot of pages to the law a lot of legal

01:01.400 --> 01:07.240
text that's somehow plumbing somehow about who keep things together but annex one is where

01:07.240 --> 01:14.920
it really comes together in terms of the requirements. So one that I really like is data

01:14.920 --> 01:20.080
minimization the requirements are in two sections part one and part two part one is

01:20.080 --> 01:26.960
cyber security properties just what the what the what the product should be like so this

01:26.960 --> 01:32.560
one is data minimization just a little clause no big deal just process the data that's

01:32.560 --> 01:37.800
relevant to what you're doing so this is like the GDPR kind of but without all that consent

01:37.800 --> 01:43.600
stuff without all that you can just opt into being anyway not no legal interpretation

01:43.600 --> 01:48.840
here but it's but it's great this is a property that we care about because if you we know

01:49.000 --> 01:53.720
that if you pass too much data around that's not relevant to what you're doing then it's a

01:53.720 --> 02:02.560
security risk another thing is vulnerability handling requirements in addition to being kind of

02:02.560 --> 02:10.240
secure by design it also has to have an update mechanism there has to be practices for

02:10.400 --> 02:18.640
handling vulnerabilities such as you know update should be by default automatic and just

02:18.640 --> 02:27.040
coming in a timely way so this is all tied together in the notion of having a product security

02:27.040 --> 02:33.840
regulation so you probably saw this logo CE on all kinds of physical products what that means is that

02:33.920 --> 02:46.080
the product meets European regulations it's a European mark and now with this with this regulation

02:46.080 --> 02:55.520
this cyber resilience act the notion of product regulation and product conformity comes to software

02:55.840 --> 03:03.840
so rather than being kind of bottom up that the components that you build something out of are what

03:04.400 --> 03:10.400
demonstrate that conformance it's instead kind of top down the final product has to conform to the

03:10.400 --> 03:16.240
regulation and then you can kind of filter through the dependencies which are you know kind of inevitably

03:16.320 --> 03:28.000
involves in whether it meets the security properties so for many products there's different ways that

03:28.000 --> 03:35.280
products prove that they conform to a regulation one is they just have some document that lists out

03:35.280 --> 03:41.120
certain pieces of of information that's what happens with what we call default products under the

03:41.120 --> 03:51.760
CE array there's this extra class of products important products where either they have to kind

03:51.760 --> 03:58.240
of explain in their technical I mean not just explaining in certain kind of basic ways why they meet

03:58.240 --> 04:06.480
the security requirements but either having an external certification body look and see whether

04:06.560 --> 04:14.480
things form or you conform to a standard and that standard describes what it means to

04:17.920 --> 04:22.320
to meet the cyber security properties in the context of in this case of web browser

04:23.920 --> 04:30.320
so this standard makes it easier to show that you are meeting the the security requirements by

04:30.400 --> 04:38.160
allowing you to describe yourself why so anyway what what does this mean what do we mean when we say

04:38.160 --> 04:46.400
a secure browser well or standardization so the standardization is kicked off by standardization

04:46.400 --> 04:54.480
request you know it was a short you know four four months or so from when the CR was passed to

04:55.120 --> 05:02.240
request was made to the European standards organizations and and then they eventually accepted it

05:02.240 --> 05:08.160
and kicked off this process of starting to standardize I'll talk about the forward-looking timeline

05:08.400 --> 05:16.320
a bit so this request or part part of this request went to to Etsy so you might expect well

05:16.720 --> 05:23.920
the W3C does web browsers right or maybe what way or you know ECMA for certain things

05:24.800 --> 05:33.120
well for European law things go through a European standards organization you know this this

05:33.120 --> 05:40.640
standard is a big deal because it has legal implications whether you would align to the standard

05:41.280 --> 05:47.520
changes what happens with respect to you know what you can put on the market what you can sell

05:47.600 --> 05:53.680
or the rise commercialized so it goes to one of these official standards bodies Etsy is one

05:54.240 --> 06:04.400
send satellite is another one and these are you know sufficiently I mean specifically licensed

06:04.400 --> 06:11.920
to take on this kind of task so now we'll talk about the browser standard in the current context

06:12.320 --> 06:16.480
try the current content and and how we're developing it so

06:20.400 --> 06:24.640
there's several of these requests being made at once several of these standardization requests

06:24.640 --> 06:30.320
made for various different kinds of important products or even more critical products or

06:30.320 --> 06:38.160
there's another you know degree of importance beyond that and so we're we're developing a common

06:38.160 --> 06:46.160
structure for these standards because there's there's commonalities in how to describe the

06:46.160 --> 06:51.440
the security properties anyway we're this is all a new process we're all learning at the same time

06:51.440 --> 06:58.480
how to write a European standard to describe security properties so first we have the scope

06:59.760 --> 07:06.240
the cyber resilience act has alongside of you know committees like this to try to define

07:06.240 --> 07:16.320
standards it also has this expert group consisting of people who know about well represented

07:16.320 --> 07:22.240
there's a very civil society bodies anyway they defined what browsers are software products with

07:22.240 --> 07:27.680
digital elements and enable you know it's all it's all tied to web access we're we're asked to

07:27.680 --> 07:34.480
define this for standalone browsers embedded browsers including with AI elements so this describes

07:35.440 --> 07:45.920
what it is in that nx3 that's in scope so for example out of scope is if you have purely just a web view

07:45.920 --> 07:53.200
that's rendering local content that's not that's not a browser it has to be kind of web related otherwise it's not quite as

07:53.200 --> 08:02.720
high risk so mention the structures we have our scope then we have our references a an unfortunate

08:02.720 --> 08:10.640
thing about these European standards is we cannot make reference to web standards and

08:12.320 --> 08:20.800
the reason is well it takes was cut off a little bit but legal documents require a sound basis so

08:21.520 --> 08:27.520
the way that European law works here is it has you know from its own perspective especially high

08:27.520 --> 08:34.880
standards for what you can put in a standard and this includes the normative references being

08:34.880 --> 08:42.560
only these these official things so we can mention these web standards but we can't make

08:42.560 --> 08:49.280
requirements based on them so basically the document has to be self contained we also have to define

08:49.280 --> 09:11.440
very carefully what sorry the signal's gone okay okay great so we we have to define things but

09:11.440 --> 09:21.120
it's a little bit funny in this context we also try to categorize what we're requiring for

09:21.120 --> 09:28.640
browsers based on use cases so there are a few different things that you could consider for example

09:28.640 --> 09:36.000
consumer you know individual useful web browser versus institutional context you know with

09:36.720 --> 09:41.680
critical infrastructure you'll prep you may have some enterprise policy that governs use and so this

09:41.680 --> 09:48.240
changes a little bit the nature of what you need after the web browser for example a lot of browsers

09:48.240 --> 09:54.160
have a policy that you can enable which is disable HTTP authentication which is you know it

09:54.160 --> 10:00.960
insecure technology still left in browsers these days out of out of web compatibility and if you have

10:00.960 --> 10:07.360
a certain you know institution where you're trying to make sure that especially secure technologies

10:07.360 --> 10:12.640
use that's why many browsers expose this flag I'm not sure if we want to require that flag to

10:12.640 --> 10:17.440
exist but it's the kind of thing that's made available for for institutions to have higher

10:17.440 --> 10:23.040
security so this is this is part of why we list out different use cases it doesn't necessarily mean

10:23.040 --> 10:31.440
that they're you know different browsers we also have tried to identify relevant risks we're

10:31.440 --> 10:39.440
looking at an overview of the product architecture but the really important sections of this document

10:39.440 --> 10:47.840
are the normative ones which are causes five and six so for example we would specify things like

10:48.000 --> 10:53.920
different parts of the browser should be isolated from each other through sandboxing or process isolation

10:55.680 --> 11:02.720
and we have a number of these categories this is still all up for editing I'll explain in a minute

11:02.720 --> 11:10.640
why I mean how you can get involved we really need more involvement in this then we have section

11:10.640 --> 11:20.640
or clause six which is the ways to assess whether you're meeting the requirements so in this

11:20.640 --> 11:29.520
case to check whether GPUs are process isolated one way is you can launch the browser and

11:30.240 --> 11:37.680
look at you know look at processes and look at fallbacks so these are all supposed to be objective

11:37.760 --> 11:44.080
this is this is a requirement in European law that we have an assessment method which can be somehow

11:45.360 --> 11:54.560
reproducible so I would really like to encourage everyone to collaborate together on this but we do

11:54.560 --> 12:00.400
have a timeline to keep in mind and it's unfortunate that the time is a little bit tight but that's

12:00.400 --> 12:09.520
kind of the current situation so in a month or two we need to have the draft ready for what's

12:09.520 --> 12:17.280
called public inquiry so we're going to share this with I mean the thing is it's already public it's

12:17.280 --> 12:24.320
already put on Etsy's website I'll I'll have links for that next but there's another public inquiry phase

12:24.320 --> 12:36.080
which is happening starting at is it March 31st or you know March 15 April 15th yeah but we

12:36.080 --> 12:41.200
have to have the draft ready before that so that then it can be you know shipped off to this public inquiry

12:41.200 --> 12:47.440
where many different parties will read it and give comments I think already we've seen more reviews

12:47.440 --> 12:53.280
among the industry but if we can you know take the feedback people have now incorporated into the

12:53.280 --> 12:58.320
document then the next round of feedback will be able to you know make more progress so

13:00.080 --> 13:06.400
over the next several months we'll get more rounds review and eventually by October 30th we should

13:07.120 --> 13:14.400
according to the timeline set by the European Commission have our have our version fully kind of

13:14.400 --> 13:22.800
standardized within with in Etsy standardizing in Etsy is then just kind of the second to last step

13:22.880 --> 13:27.440
because then the European Union the European Commission needs to decide to fully publish it

13:27.440 --> 13:34.560
as an official standard and then the reason that we want to have this also upfront is because

13:35.200 --> 13:43.200
December 11th in 2027 the Cyber Resilience Act takes effect in the sense that all products with digital

13:43.200 --> 13:49.520
elements that are especially the commercial ones need to have their CE marking the the CE

13:49.520 --> 13:53.840
marking it's not like you're going to print it on the software it's you know you have a website with

13:53.840 --> 14:02.160
the documentation that that's required and you have the technical documentation stored away somewhere

14:02.160 --> 14:09.360
that that describes why it conforms to the CRA so this is going to apply to to web browsers

14:10.080 --> 14:16.000
I think any any browser vendor who who makes money off of it should be thinking about how this

14:16.320 --> 14:21.680
applies to them but it really applies it's really relevant for everybody because the browser is

14:21.680 --> 14:28.320
the basis for for web security you know this should be reinforcing that that security this gives us all

14:28.320 --> 14:36.560
a secure basis to build applications off of and yep we want to have it there in advance so that

14:37.200 --> 14:44.800
in principle manufacturers have time to adjust to the the requirements and to demonstrate that they

14:44.880 --> 14:54.400
implement this so all of the different products specific standards are intended to have their standard

14:54.400 --> 15:01.760
written in advance like this so I really want to encourage people to get involved we have the

15:04.160 --> 15:11.040
issues available on this this repository I forgot to put the link to the actual PDF there's

15:11.120 --> 15:20.800
there I guess it's probably linked from this from this read me yeah it is so this will this will

15:20.800 --> 15:27.280
link you to the PDF where you can find the current draft and reading it filing issues you could

15:27.280 --> 15:34.320
also just email me or any of these different contact methods I want to shout out to Chrome

15:34.320 --> 15:41.520
Mozilla and especially Vivaldi browser for giving very detailed constructive criticism of this which is

15:41.520 --> 15:49.680
which is what we'll need in order to you know making his move forward so you can suggest changes to

15:49.680 --> 15:55.680
the text or you can just say what's wrong at a high level low level all of this feedback would be

15:55.680 --> 16:02.640
extremely welcome you can also join the committee where we discuss it we have meetings currently

16:02.640 --> 16:07.840
every two weeks this might move to every week but anyway you can just come to one of them these are

16:07.840 --> 16:15.840
open to involvement from open source you know from from Etsy's perspective this is kind of

16:15.840 --> 16:23.280
especially open this process you know like involving open source like publishing these early

16:23.280 --> 16:28.640
intermediate drafts on the on the website and taking issues you know people can file issues

16:29.600 --> 16:35.120
so you know even if the process can seem weird compared to other standards you know well

16:35.120 --> 16:43.200
well trying to figure out a way to work together so yeah I would really like to be in contact with

16:43.200 --> 16:48.720
people and I also want to note even though this timeline is very tight we can also have

16:50.640 --> 16:54.080
an initial version of the standard that's published and then a later version which

16:54.800 --> 17:01.680
corrects issues whether that's to make things you know whether it's to correct

17:03.280 --> 17:08.320
errors but also to make things more secure or more implementable we we can keep going as a committee

17:08.320 --> 17:14.080
after publishing an initial standard and make a make a next version this is just completely normal

17:14.080 --> 17:20.880
for further European process just like with any other kind of standard so whatever happens will impact

17:20.880 --> 17:26.640
browsers and so this is relevant to everyone who who cares about browsers