techno

Girls, promote your success
Dolores_peacock_(cropped)

Dolores peacock costume

 

Few months ago I wrote some thoughts I felt important to share with girls in tech. It was about killing usual culture, that refrains some girls (but also boys), from being free and natural at work, like feeling miserable or sorry for no reason. I now realize that part of girls (and boys) success in tech, is also about promoting correctly their achievement, realization, contribution. This may be a general worker problem, not a gender problem, but it seems to me that girls tend to forget more that special part of our job : promoting our success. This stroke me when I heard a colleague of mine commenting after a presentation I gave on a successful project ‘Well, Virginie, wonderful, that was clear and understandable, as usual, thanks you so much’. I did not have the feeling that I was outstanding, I just made my job. But I just got from that remark that promoting my work was beneficial for me and for the project. But the key is to do it efficiently.

What does it mean to promote efficiently ? It means building a message, adapted to your audience. A message, that will not get them lost, and overload them with inappropriate details. Of course it depends on the context, audience, and topic. Working on technology innovation scouting, meeting lots of people and companies and having to report different aspects, from market to strategy and technology, I had to think about my own classification on what to say to whom, and when. That classification might not be universal, but you can get the principles, depending on the context. Here it is.

But first. Never ever. Whatever is the situation, never ever get into the direction of sexist joke and naked girls (or boys), footbalistic analogy, Apple and Google systematic reference. This is forbidden – if your plan is to stay credible. While this may be the easiest way to have people with you, this is simplistic. And by avoiding reproducing that simplistic view of the world, you do not really miss anything, you just show you worth more then that.

Jump on opportunities. You meet the right person in the corridor, you need her or his advice, don’t miss it. Target one sentence and one smile. That is teasing time. You’ll have to say what is stake, which solution you believe you should go and make your request. Then smile and be silent to get an answer. Note for weird people : I am not talking about hot seduction attitude here, but just staying tuned, kindly.

The people agreed to meet you and you have time. It’s serious stuff, here, you are consuming time from some people. They have to know why you are here, what you are talking about. And to do so, I recommend to stay high level, talk strategy, express the key notions, expose the frictions, list the market actors and suggest solutions. And, because, you need to keep them happy with you, you can make jokes (aka, be relax and smart, alright, not making bad bar jokes). You must keep some time for concluding, making sure everyone agrees on the solution (action plan, next steps, …). That is normal communication rule. But (and that is the key point). During all this interaction. You should say ‘we’, when it was a team work and say ‘I’, when it was your own work. Don’t dilute your contribution, be transparent-cristal-clear about it. That is key to value your work.

You are on stage, in a conference. You may not have anything to learn from me if you already made the decision to be on stage. The only recommendation I would give is : build your talk like a story. You need a ‘fil rouge’, you need little anecdotes, you need surprise (taddaaaaaa, here is my program, wouaou, here is my design…). For the others. And if you are just thinking about applying for a conference talk, I would say that you should not hesitate anymore. Conferences are key event to force you to be synthetic and clear. This will give positive visibility to your project. And conference organizer will make their best to help you to be good on stage (it is their interest). Finally, you will be able to re-use your talk elsewhere. You just need to find the right conference, with the right audience.

You need to talk about your work, but... I know you want everyone to know that while going go from SuperProduct v1.3 to HyperProduct v1.4, you made some choices, you managed some shit, you were about to be killed by 2 engineers, and had to dance with your enemy, but… lets admit that, sharing those details in a decision meeting, or while reporting about your project success will not help you. You are professional, you are managing correctly your tasks and making decisions. That is why you are getting paid. But the good news is that you will have to leave evidence of your work. Digital archive, for voluntary and curious colleagues, or to have it somewhere for later reference. In this archive, you can play with all the secret details of your work. You can use your every days professional life vocabulary and habits. Acronyms, architecture, references to geek literature, bugs number, product version, test suite, clickable urls, little stories of your battles, multi-bullet points slides, matrix (with titles), text with different policies for super cool effects, resource planning, exhaustive list of participants, detailed figures… And this is the only place where you should play that game of entering into the boring details. Right ? Unless someone weird ask you detailed questions about it…

My 2 cents, hoping it will make you going out and showing your technical work to the world…

W3C : TPAC week was also about fun and art

This post is the last one of a serie of 4 dedicated to the yearly W3C meeting. Previous ones were dealing with serious stuff such as W3C Advisory Board, the news in the tech area, and the particular topic of security in W3C.That one relates to the fun happening in W3C TPAC…

The ones who were there could not ignore that in addition to meet great and smart people, in addition to produce specification and work out on some resolutions, the mood in TPAC is about human and social interactions. Coffee breaks, special dinners and bar sessions are the place to be. All is provided to allow people to meet. And there were two remarkable activities during that TPAC week in Sapporo.

werewolf

Werewolf game.

Werewolf is famous in W3C. It is most of the time orchestrated by Dom and Doug from W3C.The game is about guessing in an assembly of 20 people or more who are the werewolves killing simple villagers at night. Each player can be either a special character and get some special tips about werewolves identity. That game is happening in the evening, in one of the hotel where most TPACer were sleeping, and every night, you could see poeple joining the group at 21:30, jumping out from nowhere, to be here and have fun. That year, the new usage is that the werewolf game opened a twitter account (that I had fun managing during one night, at least).
During the night, the villagers sleep.

And in the morning, the players vote to decide who is a werewolf

haiku

The Haiku challenge.

That idea came from Maria Audey and David Rogers. The challenge was to make the TPACers writing an haiku (a 3 sentences poem, which constraint is that it has to be 5/7/5 syllables). Writers could either send the haiku anonymously or sign with their name. We received 35 haikus in less then 2 days. All are archived for ever on W3C servers, available here : https://www.w3.org/wiki/TPAC/2015/haiku

You can note the cross theme with werewolf game

Full moon

Doug, a simple villager,

when the moon is full,

smells of blood, bones and beard.

My favourite haiku was (by Ian) :

Ode to Scribes

RRSagent

I have been scribing so long

Zakim, close the queue

And the jury, composed of David, Maria and me voted for Yves one :

Shepherds

Web is where we live

TPAC is where we connect

Free Web for the world.

Again, that year TPAC was amazing, feeding people with tech, fun and art…

W3C : about security activities (gossips, new work and strategy)

This post is the third one, reporting about W3C TPAC activities. Previous ones were related to advisory board discussion and general technical topic. That one focus on my fav topic, security.

People following me know I am a promoter of security in W3C. And having done that in the last 4 years, I must confess I had some good surprise during last W3C TPAC week (which is the yearly big W3C party). Here is what I collected, going into official and unofficial meeting, coffee breaks and bars…

When Vint Cerf, Jun Murai, and Tim Berners Lee advocate for security. W3C TPAC day started with a 3 stars raw on stage, exchanging with W3C CEO Jeff Jaffe. (Note for the youngest ones, Vint Cerf invented the internet and is working for Google, Jun Murai has been contributing on that eco-system, being one of the most powerful japanese representative in the internet, Tim Berners Lee, is Tim…). Reading the minutes of that conversation, one could realize that security was at the heart of the exchanges. About making security in everything, about security being transparent, about strong authentication, about making the web a trusted place… While those gentlemen did not draw the technical solutions on any white board, but rather exchanged on such needed effort, this gave an indication about their next challenge for the web.

W3C security strategy is here. In order to answer to W3C members request about having a security strategy, the security strategic plan for W3C has been issued. The Technology and Society domain considers two aspects for securing the open web platform : the user security (including web crypto API, web authentication and HTTPS migration), the web app security (including CSP, sandboxing and HTTPS, again). Another track is about making sure that the development of the open web platform takes care about the security, and this implies having security reviews, handling with care the migration to HTTPS, and liaising with the rest of the world thanks to liaison and wide communication. See more about that security strategic plan here :  https://github.com/w3c/websec/blob/master/security-roadmap.md

The migration towards an HTTPS world. A very interesting session was held during TPAC about trying to find the best path to make the web an HTTPS place. HTTPS is good says the W3C Technical Architecture Group. We all know that (well, kind of). But the path from HTTP to HTTPS may raise some serious challenges that Brad Hill explained very well in that document. The problem is about mixed content. How to make sure, once your website is mandating HTTPS, to still get content from website only running in HTTP ? What security measure should be taken when this situation happens ? Would not that be the weakest link that would kill the entire security promise… No conclusion was drawn from that discussion, but some solutions were excluding (for instance a 2 steps migration path that would be highly insecure for all the web).

W3C seeks for a security geek. Based on that ambitious plan, W3C has opened a position for strengthening the team, on security aspects. For more information, you should contact wendy from W3C (wseltzer at w3 dot org).

Web App Sec business as usual. Working hard and quietly, the Web App Sec is rolling out its plan. I have already mentioned the main topics being dealt in this Working Group, made of best security experts of major browser vendors. One may note that little by little, Web App Sec is providing developers with a tool box allowing to check integrity of a ressource (SRI), filter or log access to external ressources (CSP), access to specific API only in secure context (privileged Context) … Nevertheless, some recent activities are worth (re)mentioning, completing this intention :

  • COWL : is about Confinement with Origin Web Labels. In other words, this is a mean to lable some code and execute it carefully (because you dont trust it, because you want to allocate him less permission…). That work is in first public working draft (early stage of a spec) and is available here : http://www.w3.org/TR/cowl
  • Clear site data : is about allowing web app to kindly ask browsers to delete data related to itself. The spec is available here : http://www.w3.org/TR/clear-site-data/
  • Upgrade unsecured data : is about allowing web app dev to instruct browser to upgrade all interactions between client and server on HTTPS. the spec is available here : http://www.w3.org/TR/upgrade-insecure-requests/

You can have a look at the complete status of the Working Group deliverables edited by its co-chair Brad Hill.

Last but not Least. Some new work is being introduced in W3C.

Web Authentication. Is about allowing strong authentication from a web app. That working group will certainly be the place holder for W3C receiving FIDO Alliance specifications which are defining an API for authentication, attestation of a authentication device and signature. The draft charter is under construction here https://w3c.github.io/websec/web-authentication-charter

Hardware Security. Is about allowing web app to access secure services made available thanks to hardware based token (like secure chips, smart card, trusted execution environement). the ones knowing my everydays job will definitely recognize the usual technology I am playing with, and may understand the reason why I have offered to chair that working group, together with David Rogers, a mobile security expert. The draft charter is available here : https://w3c.github.io/websec/hasec-charter.html

Those two new pieces in W3C still have to go through the W3C member review before being actually up and running. Again, here, I will keep you informed.

W3C : rambling in W3C TPAC as a tech person

Being also a tech person, in the W3C TPAC week, I had the chance to visit different groups or brainstorming session and I am sharing here with you the result of me jumping from one room to another.

The Web Payment is a reality. The web payment activity is one of the most dynamic ones in W3C those months. The quest initiated here is to ease the access to payment means from a browser. Making sure that a one click button would allow a user to pay with means which is accepted by the merchants, available in the user context. The use case and priorities of the group have been discussed in the Web Payment Interest Group, but the more operational steps has happened in TPAC : the Web Payment WG kicked off. That Working Group will design an architecture and some APIs to make that payment feature in browser a reality. Let’s wish them success…

WebRTC is close to be closed. WebRTC is *suffering* from a large number of implementations (see is WebRTC ready yet ?) and the specification was late compared to market expectation. but the good news is that most of the technical problems have been answered. And the Web RTC group is now thinking about WebRTC Next Generation. The specification will go to CR soon (see for details by Dom on http://www.w3.org/2015/Talks/dhm-webrtc-ac/)

Sensor is progressing. Internet of things is something (buzz, trends, de facto, golden quest…), and it is also present in W3C. The sensor spec is about exposing to web apps sensor’s data. The spec is on its way, in the capable hands of (Intel Corporation) and Rick Waldron (jQuery Foundation). If you wanna have a look at that API, the spec is here https://w3c.github.io/sensors/ and some more context about it can be found in the discussions held during TPAC between the sensor team and the Web of Thing team reported here

What about blockchain in the web ? Some may get nervous that everyone is talking about blockchain. And even TPAC breakout sessions deal about it. During an interesting session, NTTDoCoMo exposed the rationale for letting blockchain used by web apps, for use cases such as tracking peer to peer rights transfer or signing legal documents… This long term work may land in W3C, some days…

I could not attend all the Working Groups meeting and Breakout sessions that were held during W3C TPAC, but if you wanna have a taste of what is discussed in W3C, have a look at this report, and read minutes, issues and participants…

W3C : about being an Advisory Board Member

One of the important moment for W3C, the World Wide Web Consortium is TPAC. This is the week where all W3C members and W3C tech contributors all meet. Dozens of Working Group have their face to face meeting, and in parallel the Advisory Committee (AC) meets. AC is a room full of delegate (one per W3C member), meaning any company or university or startup having paid their W3C membership. This year, the big party was scheduled in Sapporo (Japan) and more then 550 people registered, more then last year where the location was the crowded Silicon Valley. Thus, a lots of people, a lots of amazing topics and discussions.

I have been participating there with several hats, as a tech person, as an advisory board member of w3c, as an AC rep, as a chair of a technical group, and finally as a general citizen of the web. I wanted to share with you all the goodness that came out of this crazy week. This post is the first on several, reporting about my experience, focusing on the Advisory Board aspects.

What is it to be an Advisory Board member ? The role of the AB is to give guidance to W3C management for W3C directions. That 2 years mandate is obtained thanks  to election by W3C members. Basically, you campaign, and you are elected. The AB is made of 9 elected person, a chair, Jeff Jaffe CEO of W3C, and two magic supports (Coralie and Ralph). The team is playing well, with a lots of exchanges, different profiles and conflicting interests – which, I believe, guarantees that most interests will be preserved… W3C members and AB can continuously talk, but there are 2 occasions where the W3C members can formally express if they are happy or not, at TPAC and at a spring meeting, for a 2 days general assembly.

What are be the immediate tasks of the Advisory Board ? The AB had to treat a large number of topic which covers process management (which includes specification lifecycle but also governance rules), strategy of different W3C domains, priorities of the consortium, development of new activties or working methods and solving any question/problem raised by the membership … And here is the team to handle that !

How to achieve that as an Advisory Board member ? After one year of exercising such mandate, it came to me that it is a difficult balance between taking initiative on behalf of W3C members versus spending time listening and gathering feedback…This week in TPAC, the dialog with the W3C membership was very quiet. Few interactions during the official meeting. Discussing in the corridor with a lot of members and my AB mates, it appeared to me some principles that we should always have in mind in order to be maintain basics of democracy in such organization.

  • Create real dialog with members – allowing them to influence the general assembly agenda and opening mic sessions
  • Clarify the pieces of discord and put them on the table, it will make sure all arguments pro and cons will be heard. When you have in the same room the media and ad industry and the EFF, there is some chances that you hear completely opposite vision of a single situation and thus can make your mind…
  • Leave some space uncontrolled, where all technical and strategic outcome are driven by few, not under the pressure to represent all opinion, but allowing to get straw man proposals (aka, the W3C Technical Architecture Group, lead by Tim Berners Lee, plays that role today),
  • Clarify priorities of the consortium, by vote, by any means, to make sure that you do not address all requests, but only the important ones,
  • Roll out pragmatic plan, with a unique champion to question and congratulate, adapted to your resources – and fine tune as you walk,
  • Listen to the silence and act when it is too loud (relooping…)

What is next for the AB ? In addition to the business as usual, I believe that W3C is facing some interesting challenges that I am committed to support:

  • modern tooling (aka including github and modern edition methods in working groups),
  • caring about the chairs and editors community
  • improve visibility of W3C activities to the public (thanks to the magic of Web APIs)
  • clarifying strategic plans (accessibility, security, HtML5 next, …),
  • kicking off a new group dedicated to discuss potential policy in W3C (like, taking position on topics where technology and society overlap).

Definitely only interesting and great challenges ! Will keep the web informed as long as the things progress !

Paris Web : bienveillance, sécu et bonnes pratiques

parisweb vg

Le temps file, c’est bien connu. Mais le temps ne peut rien contre les beaux souvenirs et les apprentissages de ParisWeb. Quand je reviens à mon passage à cette conf, début Octobre, deux choses me frappent.

Un. L’ambiance. L’accueil chaleureux d’une équipe (qui a le courage d’accueillir ses orateurs à minuit en costume de licorne, hein, qui ?). Le regard bienveillant d’un public averti, humble et joueur. Les hugs dans les couloirs, les questions pertinentes dans les amphis. Bref, humainement et intellectuellement, ParisWeb, ça envoie du lourd.

Deux. L’orientation sécurité et privacy, fortement présente dans la ligne éditoriale. Pas moins de 7 conférences qui touchent à ces sujets parmi les 38 conférences proposées.

Voici ma sélection de conférences. Avec mes chouchous dedans. A regarder ou lire. Une sélection basée sur un mixte de coup de cœur de personnalités pêchues et de contenus intéressants.

Pour découvrir les tendances sécu de l’année 2015…

  • Matthias Dugué – La crypto pour les dev : Matthias vous dit tout sur ce qui marche et ce qui ne marche pas aujourd’hui quand on veut faire de la sécurité, prendre le temps de chiffrer, signer…
  • Nicolas Hoffmann : Content Security POlicy : enfin tout comprendre à CSP, l’arme fatale pour protéger vos sites
    • c’est par ici
  • François Hodierne : les robots polluent le traffic web, quels outils permettent de s’en prémunir ?
    • le transcript est et la vidéo sera bientôt ici
  • Adrienne Charmet qui explique la nécessaire implication des citoyens que nous sommes dans la gouvernance de la vie numérique
    • la vidéo est dispo
  • Ann Wuyts – Privacy by Design : ou comment apprendre quelles données sont particulièrement sensibles et méritent que vous prêtiez attention à l’expérience utilisateur *et* à sa vie privée.
    • la prés est par
  • Tristan Nitot : Vie privées, surveillance, alternatives aux GAFA, sur les possibles pistes pour une de notre vie privée sur les appli
    • on comprend l’investissement de Tristan dans son projet Cozy Cloud
  • Enfin, ma présentation, sur les aspects sécurité et internet, on y aborde les grands principes qui poussent les standard, comme le W3C, à tenir compte de la sécu
    • C’est par (pardon papa, j’ai dit un gros mot)

Pour réfléchir un peu sur les problèmes d’éthique et de travailleurs…

  • Etienne Samson ou comment détecter les trésors d’humanité autours de vous et les mettre en lumière ()
  • Thibault Jouannic ou comment adopter la bonne attitude pour faire sa veille à son rythme, sans perdre du temps ou d’énergie (, attention, ce mec est trop fort, il lit dans vos pensées)
  • Jean Philippe Cabaroc ou comment mettre en avant votre-savoir-faire-si-bien, à savoir votre méthodologie (ici)
  • Marie Guillaumet : à propos du design de soi et les trucs simples pour se valoriser sans perdre son âme, la transcription est là , la vidéo bientôt là 

Enfin une conférence exceptionnelle (drôle, fine, énergique, pleine d’émotion) de clôture, sur la langue des signes, par Sandrine Schwartz, on attend la conférence avec impatience…

Une dernière chose. ParisWeb a besoin de votre aide pour continuer à exister. Donc si vous avez un peu de temps à y consacrer, levez la main, et contactez l’équipe orga !

Paris Web : de la sécu et de la qualité

logo-parisweb-2015

L’été bat son plein. Cigales et soleil (enfin, pour moi). Je me penche sur le programme Paris-Web, la conf du web programmée en Octobre (oui, déjà, je sais, certains disent que je suis très prévoyante), et joie, bonheur, extase : de la sécu, il y en aura à gogo chez Paris Web cette année. Rendez-vous compte, pas moins de 6 interventions relatives au sujet.

– Votre cauchemar ressemble peut-être à une invasion de script malicieux sur vos sites, Nicolas Hoffman vous racontera que CSP est un anti dote pour ce genre de situation embarrassante.

– Vous avez envie de rendre un peu plus robustes vos applications web ? Il existe des outils pour cela. Mathias Dugué partagera son retour d’expérience sur l’usage de ces outils obscurs de sécurité et de la Web Crypto API.

– Une bonne authentification est la garantie d’un service deployé sûrement. L’administration française l’a compris. Francois Petitit partagera son retour d’expérience sur le déploiement de FranceConnect, de OpenID, de l’OAuth2, du bonheur…

– Les bots sur le net générèrent du traffic, et vous embêtent probablement en tant que webmaster, François Hodierne vous expliquera comment gérer ce petit détail, et comment reconnaître les bons des mauvais robots.

La sécurité du web et des internets, c’est un sujet sérieux, que les organismes de standardization discutent, je viendrai vous raconter les avancées faites dans ces consortiums d’industriels au W3C, à l’IETF, et à FIDO.

– La sécurité, c’est aussi une question sous-jacente dans les enjeux de la liberté des usagers du web. Adrienne Charmet, de la Quadrature du Net, viendra plaider pour un engagement des acteurs du numériques en plénière d’ouverture..

On se croise donc à Paris-Web les 1/2/3 Octobre ! #bisous

#shake15 : to VC or not VC

In the run of #shake15 conference, I attended a great presentation on venture capitalist myth and reality. The experienced entrepreneurs presenting, Michel Athenour (multiple founder) and Christophe Raynaud (VC ISAI director) made a great team show, spread with humor, irony and valuable real life experience. For people not familiar with the french VC landscape, you should know that France VCs invests 8.7 reasonable billions of euro in 2014, and is made of several tenth of VCs firms, with a recent increase of players.

The tone was quickly given by those (smart) guys. VCs are scarce.

And you should talk to them only in specific situation. When you are in hyper-growth and terrific expansion, when you are rich enough to pay your team salaries during 6 months (at least), when your team is balanced and great (this is one of the assets VCs will weight careful). If you can’t tick each of those boxes, try something else. Love money (your friend, lover, father, crazy uncle). If you tick all the boxes and wanna go VC, be ready to suffer. The mission of VC is about investing, giving money. Thus, they need to check few things, they need to trust you, your business model, your potential. And they will be looking for your weaknesses, asking the questions you dont want to hear, opposing competition you did not foresee… this torture will be iterative. Meet, talk, present, again. It may take you 3 months, long 3 months where you business will have to rock anyway. So provisioning energy and money for that specific period is a must. That was for the general aspects on when to go VC or not.

In addition Michel and Christophe shared some common sense tips for going VC.

Build your network in the VC jungle. You must have friends there, and it is normal usage to sanity check their reputation, identifying bad sharks and loosers (dont feel ashame, they will do the same for you and your team).

Be prepared to present your activity. This means training, working your presenting and convincing skills.

Think instead of VC. What is it that they want ? Make sure they can make money by reselling your activity. Look for your next acquirer, who will buy you soon, and tell them.

Accept that VC is not for all. And not successing when going, or not going is not a failure. This is just being reasonnable and playing in the relevant category. Again the press is puting a lot of emphasis on champagne, “paillettes” and successful fundings but this does not represent the average entrepreneurship story.

Thanks again to Michel and Christophe for this fruitful workshop !

Note1 : for more information on french landscape, download the AFIC report [PDF] or read recent Rude Baguette analysis .

Note2 : #shake15 learning related to e-commerce is also available here.

#shake15 : And now, all of us are shaking our digital commerce !

logo-shake15#shake15. Two days of e-commerce.

In one of the most prestigious place of Marseille, during 2 days, around 1000 people gathered and exchanged. Two days spent looking at merchants, staring at users, analyzing in-shop behavior and on-line habits, qualifying e-merchants and market place tribes. This is Shake event. So what can we learn by gathering all the actors of the value chain during 2 days ?

The consumer journey is multiple.

And it is not relevant anymore to even mention the opposition of online/in-shop, mobile/PC, in-shop / home delivery, before/during/after transaction time, web site/mobile application… A transaction has several touch points that no merchant can force or predict. Users are crazy. Let’s admit that, you need to be with him everywhere, anytime, with persistence. Admit that or you will miss it. Your next 2 years challenge is to build a consistent digital strategy allowing all combined path.

Facing such an asset, it makes no choice on today’s merchants.

You need to go digital, in a consistent way. If you are not convinced you should go, let’s have a look at the figures. E-commerce is generating 57 billions today worldwide. In France, the transactions have increased by 13,7 % on 2015 first semester. Buying on e-commerce site happens to users once every 15 days, average, with an always average price increasing. E-commerce is getting common to the 76 % French people connected. Finally, number of websites have increased by 14% compared to last year, leading to 160 000 active sites. You competitor may be among those ones. You can check the FEVAD figures to know more about that.

Few remarkable trends

You don’t need to be a pure player to go digital. Look at the recent move from CDiscount going Casino, eBay associating with merchants.

Usage of mobile application is important because it is the way to create a privileged relation with your customer, identifying him accurately, and analyzing his navigation in the application. This would allow merchant also to get benefit from the search results in Google search (also named as app-indexation).

Shops and employees in shop are getting transformed. Vendors work with devices, shops can offer picking services, shops can produce on demand and on-site thanks to 3D printing. Welcome to the new world !

Ads can now be served thanks to social media stream. The Twitter sponsor tweet, Facebook sponsored push are now some channels to be used. Just use it, they are convenient and annoys less the users.

And always. Mobile first mindset and geo-location usage can help.

Things to improve.

The pain point in e-commerce is still the payment. The payment, yes. Fragmentation in payment solutions, applications and user experiences is not good for the business. Specially the fact that there is no well known and standard experience reduces the transformation rate when finalizing the transaction. User needs to feel comfortable to press the final button. Something to improve…

Thanks #shake15

The panoramic vision offered by shake15 on trends and vision was really precious. Big-up to Hervé Bourdon and Jacques Froissant and the supporting team for setting up such event.

Note : Last year Shake edition can be found there https://poulpita.com/2014/06/30/shaking-marseille-e-commerce/

IMG_-y73910

The security question at Edge

Take 250 web developers, seat in front of them experts, and let them interact. This is EDGE conference. While being my first edge conference experience, I cross finger I will attend the next one. I went there to be part of a panel dedicated to security. And by having that lively and passionate debate, I have learned things, specially, how to move forward on security aspects on the web.

What was it about ? It was about HTTPS and certificate usage. The panelist were Yan (from Yahoo), Mike (from Google), Alex (from University of Michigan, Let’s Encrypt promoter), Patrick (from Financial Times) and all of us being moderated by Dan.

Yan setup the stage by reminding what are the attacks on the web (MITM, XSS, …) that HTTPS and CSP can help to solve. CSP is a way to control that only authorised resources are accessed (authorized means coming from a url you trust). At the same time Yan announced also a renaming of CSP into BATSHIELD to make it attractive, we hope you will enjoy it. Then came the origin question. HTTPS is a way for the browser to make sure that the service your are accessing is the one it pretends to be. And from there, we entered into the debate, here is a take away.

So what is it that we know about HTTPS ?

HTTPS allows point to point authentication and communication confidentiality, between the browser and the server. It helps to prove that Steve’s service is from Steve. HTTPS relies on public and private key management, which means key pairs, generated and certified by a certification authority (CA). In other words, CA will help blessing Steve’s key pair. CAs are recognized by browsers and this recognition relies on reputation. If a CA is reliable (aka known for doing Steve’s identity check properly and making sure to repudiate his certificate if he behaves badly on the internet) then browser will add it in its recommended CA. And all services associates with certificates and key pairs delivered by trustable CAs will be operated under HTTPS. Key pair generation and certificate issuance are a painful process for the web developers. In addition to migrate to HTTPS, they need to pay, few tenth of dollars and find a CA kind enough to have their certificate. In September, Let’s encrypt project is arriving https://letsencrypt.org/. It will make the certificate and key pair distribution automated, free and seamless. Thus it will reduce the barrier to entre the HTTPS world. The way this process will be reliable and automated is still to be discussed, but this initiative could be a serious enablers towards an HTTPS everywhere scenario.

And what is it that we don’t know ?

Does HTTPS really need to be end to end ? Some services may require some arrangement in the middle of the path, between the server serving the request and the browser. The kind of arrangement could be advertising loading, load balancing management, ….). If we were to open some non-HTTPS path in a HTTPS request, to favor the work on the intermediate elements, in charge of those arrangement, this would imply the risk to have middle box for monitoring also enabled. So on one hand there are some business interest to let some path HTTPS free, on the other hand, the breach opened here could favor pervasive monitoring… So one should ask if this is reasonable to only protect the last miles on the communication.

How should users be involved in the security cursor ? Users are warned today when a site is safe, with a green lock. It pushes him into a perception of security that may be over estimated. Some browser vendors would be in favor for waking up the user only if something is at risk. This opens the question to how far security should be visible to the user. It is the responsibility of the browser today to accept CAs and to operate HTTPS normally. Including an educated user could be good, but what if the user is not skilled enough and accept any CA ?

Does HTTPS make the entire web safe ? No. HTTPS is a mean to increase the security communication between a server and a browser. But it does not protect from (1) threat happening on the server side (what is server’s data are corrupted), (2) what is happening on the device side (what if some malicious application can explore and alter broser data), (3) the web developer private key protection (what is the service has his private key being compromised). So a complete answer to securing web business is also about answering those questions. But we dont know yet how to do that and have information about security context of the entire service.

What about restricting sensitive features of the web through HTTPS only connection ? This could become a possible way to increase user privacy and control. But some are claiming that this would force web developers and services to migrate to HTTPS for accessing specific features. Putting a higher technical barrier for deploying services (providing that certificates become free commons). Those last questions staid unanswered. Nevertheless this very good dialog with experienced web developers at #edgeconf allowed to hear pain points and fears from the audience. My take is a beginning of action plan to answer to those questions. Being involved in” problem solving by standard”, I would recommend that we create some fair places to discuss and solve the following questions :

  • HTTPS end to end best practices – including the middle box problem.
  • User involvement in security indication and management – including user experience concern and creating a standard for making the users indication clear
  • Guidelines and supporting tools for web developers to deploy HTTPS and endorse certificate usage (from whatever CA it comes from).

I guess that W3C and IETF may hear in the coming weeks about those suggestions about for keeping our web safe.   Note : extensive notes are available here https://decadecity.net/blog/2015/06/27/edge-conf-security by Orde Saunders