Thyla van der Merwe on User Safety, Maintaining Balance, and Mozilla’s Future

Thyla van der Merwe’s first goal is to keep users safe online. The cryptography engineering manager spent two summers interning at Mozilla before joining full time in 2018. Today, she and her team manage the company’s cryptographic libraries, contribute to global cryptography standards, and analyze security features across Mozilla teams. They’re also involved in academic research and are constantly thinking about new features that provide increased security and protection to Mozilla users. Below, the math-lover shares more about the steps that led her here, how she pursues balance, and Mozilla’s innovative future.

What do you do at Mozilla?

I manage the Cryptography team, which is responsible for keeping our users safe, whether that’s protecting their sensitive information on the wire or making sure they can trust the servers they connect with. We’re split into several subteams that focus on key area⁠s⁠—our Network Security Services and Personal Security Manager teams oversee cryptographic libraries; our Security Review team handles review requests from across Mozilla; our Certificate Authority Program team decides which authorities to include in the browser’s root store and deals with revocation when a certificate isn’t trusted. We also have a Features team that focuses on keeping our cryptography offerings state-of-the-art—staying on top of the latest research and thinking ahead to the next paths we could take. When we decide to develop a new feature, all of the subteams come together to lend their expertise.

Tell us about your background. What brought you to this field and to Mozilla?

I suppose it started with a love of mathematics. My first degree was in statistics and economics, and I ended up adding a math major because I enjoyed those courses so much. Then I decided to get a master’s in math, and that’s when I began focusing on security. I got a job in South Africa, where I’m from, at a firm that produced cryptographic hardware, and I started doing a lot of standards work on cryptographic mechanisms with the International Organization for Standardization.

Eventually, I wanted to branch out from the mathematics of security and learn more about the broader field—security is so large and so interdisciplinary. So I did another master’s in information security, which led to a Ph.D., which led to two internships at Mozilla. I’d always been interested in the company, because I wholeheartedly agree with the principle—also described in our manifesto—that user security and privacy is fundamental, not optional. Users deserve the best possible protection we can give them. I focused on security protocols during my internships, specifically the Transport Layer Security protocol, then joined the team full-time as a security and privacy engineer in 2018.

Thyla speaks at the Engineering and Physical Sciences Research Council (EPSRC)

Thyla at the Engineering and Physical Sciences Research Council (EPSRC)

photo credit: Dan Tsantilis

What are some projects the team is working on now?

One thing we’ve been implementing is the new WebAuthn standard, which aims to standardize how users authenticate themselves to web services. WebAuthn relies on public-key cryptography rather than passwords, since passwords are both notoriously easy to guess and subject to phishing attacks.

We’re also working on CRLite, which is a clever new technology that makes certificate revocation more efficient. It was designed in academia, and now we’re working to translate it to Firefox. Eventually, it will help us get closer to what’s known as a “fail-closed” paradigm. Most revocation mechanisms are “fail-open,” meaning your browser will go ahead even if it can’t establish trust in the connection. At Mozilla, the entire mission is to create a web where people are safe, and trustworthy connections are a part of that. Security is central to everything we do.

How does Mozilla’s team work with the broader cryptography community?

A lot of our collaboration happens through the SURF initiative, which stands for SecEng University Relationship Framework⁠—the CRLite project is a good example. SURF started a couple of years ago; a few of us on the Security Engineering team had been in PhD programs and were sitting on program committees and collaborating with research, but we started to think, “There’s more we can do.” So we decided to start hosting annual summits where we could give talks to academic researchers about the open security problems we were facing, as a launchpad to partnering with them on projects that Mozilla alone wouldn’t have the resources to tackle.

The members of SURF also serve on program committees for conferences and help supervise student projects, and we recently applied for a big research grant on high-assurance cryptography⁠, which uses a variety of tools to help keep software free of bugs. It’s been really rewarding so far, and I’m interested to see how industry and academia can continue working together.

How do you see your role as a leader?

What I like about managing is giving my team a platform to do their best work⁠—helping them make significant security contributions to both Mozilla and the web. I also try to shine a light on what they’re doing, because cryptography is like the plumbing of a browser; it’s seen as mysterious and doesn’t always get much visibility.

I’m fortunate to work with a very talented, experienced team that I completely trust, but managing can still be a challenge just because there are so many responsibilities. One thing I’ve personally had to adjust to is having less time to be technical and get my hands dirty. I think it’s important for a manager to be conversant in the technical language a team is speaking—last year, I took a Rust course because the team wanted to do more with it⁠—but I do have to balance that with everything else.

I try to keep things balanced for the team, too, in several ways. Maintenance is a core component of what we do, and there are weeks it takes over. But we’re also keeping an eye on research and how standards are developing, talking with the CTO’s office, and having our own conversations about how we can innovate. I also try to make sure our team members aren’t overloaded. We get requests from all across Mozilla, and I’m constantly asking about my team’s workload so I can help defend their time. And I try to strike a balance in our hiring, as well. We have a lot of senior people, which is wonderful, but I do want to bring in more junior people, both so they can grow within the team and so our senior members can grow as mentors.

What are you excited about?

In terms of cryptography, there are a lot of new developments I’m excited to see. Post-quantum cryptography⁠, for example⁠—it will be very easy for quantum computers to solve the mathematical problems most public key cryptography is currently based on, so we’re seeing a lot of exploration of solutions like lattice-based cryptography. The symmetric-key side will be less affected, but key lengths will still need to be much larger, to make sure they’re computationally infeasible for a quantum computer to break. We’ve started to do some research in these areas within Mozilla, and I’m hopeful we can explore it even more through SURF.

We’ve also brought on some new team members with very strong research backgrounds, and I’m excited about how they can influence our direction. And I’m excited, in general, about how our team can contribute to moving Mozilla forward. The company definitely recognizes that innovation is going to be critical in the months and years ahead, and I think we’re at the beginning of a whole new phase.


Does Thyla’s work sound like your kind of challenge? Check out our open roles.