- Written by Emma
- Clubbing seals: Exploring the ecosystem of third-party security seals, Tom Van Goethem, Frank Piessens, Wouter Joosen, and Nikiforakis Nick, in: 2014 ACM SIGSAC Conference on Computer and Communications Security (ACM CCS 2014), pages 918–929. ACM, November 2014.
- Protected web components: Hiding sensitive information in the shadows, Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen, IT Professional, Volume 17, Issue 1, p36-43, 2015, http://dx.doi.org/10.1109/MITP.2015.12, https://lirias.kuleuven.be/handle/123456789/487505
- Parking sensors: Analyzing and detecting parked domains, Thomas Vissers, Wouter Joosen, Nick Nikiforakis, Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), 2015, http://dx.doi.org/10.14722/ndss.2015.23053, https://lirias.kuleuven.be/handle/123456789/487375
- Seven months' worth of mistakes: A longitudinal study of typosquatting abuse, Pieter Agten, Wouter Joosen, Frank Piessens, Nick Nikiforakis, Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), 2015, http://dx.doi.org/10.14722/ndss.2015.23058, https://lirias.kuleuven.be/handle/123456789/471369
- SecSess: keeping your session tucked away in your browser, Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen, Proceedings of the 30th Annual ACM Symposium on Applied Computing, p.2171-2176, ACM , New York, 2015, http://dx.doi.org/10.1145/2695664.2695764, https://lirias.kuleuven.be/handle/123456789/503824
- HTTP Origin-Bound Authentication (HOBA), Stephen Farrell, Paul Hoffman, Michael Thomas, RFC Series, 7486, 2015, ISSN: 2070-1721
- LogSec: Adaptive Protection for the Wild Wild Web, Bastian Braun, Korbinian Pauli, Joachim Posegga und Martin Johns, 30th ACM/SIGAPP Symposium on Applied Computing (SAC 2015), , ACM, , 2015, http://dx.doi.org/10.1145/2695664.2695709
- From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns, 22th ACM Conference on Computer and Communications Security (ACM CCS'15), ACM, , 2015, http://dx.doi.org/10.1145/2810103.2813625
- Opportunistic Security in MPLS Networks , A. Farrel and S. Farrell., IETF, 2015, https://tools.ietf.org/html/draft-ietf-mpls-opportunistic-encrypt-00
- Written by Linh Nguyen
- Large-scale Security Analysis of the Web: Challenges and Findings, Tom van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, Wouter Joosen, TRUST 2014, Berlin Heidelberg, Germany, http://link.springer.com/chapter/10.1007%2F978-3-319-08593-7_8
- Stateful declassification policies for event-driven programs, CSF 2014Mathy Vanhoef, Willem De Groef, Dominique Devriese, Frank Piessens, and Tamara Rezk, CSF 2014, https://lirias.kuleuven.be/bitstream/123456789/452207/1/sme_declassification.pdf
- STRINT Workshop (workshop report), S. Farrell, R. Wenning, B. Bos, M. Blanchet, H. Tschofenig, W3C & IETF, https://www.w3.org/2014/strint/draft-iab-strint-report.html
- Crying wolf? On the price discrimination of online airline tickets, Thomas Vissers, Nick Nikiforakis, Nataliia Bielova, and Wouter Joosen, HotPETs 2014, 18 July 2014, https://lirias.kuleuven.be/handle/123456789/454872
- Stranger danger: Exploring the ecosystem of ad-based URL shortening services, Nick Nikiforakis, WWW 2014, 7-11 April 2014, IW3C2, Seoul, Korea, https://lirias.kuleuven.be/handle/123456789/440951
- Secure multi-execution of web scripts: Theory and practice, Willem De Groef, Journal of Computer Security, IOS Press, https://lirias.kuleuven.be/bitstream/123456789/442492/2/flowfox.pdf
- A Dangerous Mix: Large-scale analysis of mixed-content websites, Ping Chen, ISC 2013, http://www.securitee.org/files/mixedinc_isc2013.pdf
- Web Application Security - Web @ 25 – Preface, Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld, Journal of Computer Security, IOS Press
- Information flow control for web scripts, Willem De Groef, Dominique Devriese, Mathy Vanhoef, Frank Piessens, FOSAD 2014, Berlin Heidelberg, Germany, http://link.springer.com/chapter/10.1007%2F978-3-319-10082-1_5
- Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets, Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen, AsiaCCS 2014, 4-6 June, 2014, New York, USA, http://www.cs.kuleuven.be/publicaties/rapporten/cw/CW657.pdf
- On the workings and current practices of web-based device fingerprinting,Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna, IEEE Security & Privacy, http://www.computer.org/csdl/mags/sp/2014/03/msp2014030028-abs.html
Standards and related documents
- Cross-Origin Resource Sharing, Anne van Kesteren, W3C Recommendation, http://www.w3.org/TR/2014/REC-cors-20140116/
- Subresource Integrity, Frederik Braun, Devdatta Akhawe, Joel Weinberger, Mike West, http://www.w3.org/TR/2014/WD-SRI-20140318/
- User Interface Security Directives for Content Security Policy, Giorgio Maone, David Lin-Shung Huang, Tobias Gondrom, Brad Hil, http://www.w3.org/TR/2014/WD-UISecurity-20140318/
- Web Cryptography API, Ryan Sleevi, Mark Watson, http://www.w3.org/TR/2014/WD-WebCryptoAPI-20140325/
- Content Security Policy Level 2, Mike West, Adam Barth, Dan Veditz, http://www.w3.org/TR/2014/WD-CSP2-20140703/
- Referrer Policy, Jochen Eisinger, Mike West, http://www.w3.org/TR/2014/WD-referrer-policy-20140807/
- Mixed Content, Mike West, http://www.w3.org/TR/2014/WD-mixed-content-20140916/
- Written by Linh Nguyen
- Cookieless monster: Exploring the ecosystem of web-based device fingerprinting, Nick Nikiforakis, IEEE Symposium on Security and Privacy 2013, 19-22 May 2013, IEEE Computer SocietyWashington, http://dx.doi.org/10.1109/SP.2013.43
- FlowFox: a web browser with flexible and precise information flow control, Willem De Groef, ACM CCS 2012, 16-18 October 2012, ACM New York 2012, http://dx.doi.org/10.1145/2382196.2382275
- Bitsquatting: Exploiting bit-flips for fun, or profit, Nick Nikiforakis and Steven Van Acker, WWW 2013, 13-17 May 2013, IW3C2 Geneva 2013
- Web Application Security (Dagstuhl Seminar 12401), Lieven Desmet and Martin Johns, Dagstuhl reports, 1-5 October 2012, Dagstuhl Wadern 2013, http://dx.doi.org/10.4230/DagRep.2.10.1
- TabShots: Client-side detection of tabnabbing attacks, Philippe De Ryck and Nick Nikiforakis, AsiaCCS 2013, 8-13 May 2013 ACM, New York 2013, http://dx.doi.org/10.1145/2484313.2484371
- Improving the security of session management in web applications, Philippe De Ryck, OWASP, AppSec EU 2013, 22-23 August 2013 OWASP Hamburg
- Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures, Nick Nikiforakis, PhD Thesis, 30 August 2013, KU Leuven, Leuven 2013
- BetterAuth: Web Authentication Revisited, Martin Johns, Sebastian Lekies, Bastian Braun, and Benjamin Flesch, Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12), Annually ACM New York, NY, USA 2012
- Eradicating DNS Rebinding with the Extended Same-Origin Policy, Martin Johns, Sebastian Lekies, Ben Stock, Proceeding, SEC'13 Proceedings of the 22nd USENIX conference on Security Annually USENIX Association Berkeley, CA, USA 2013
- Tamper-resistant LikeJacking Protection, Martin Johs, Sebastian Lekies, 16th International Symposium, RAID 2013, Rodney Bay, St. Lucia, October 23-25, 2013. Proceedings LNCS, Volume 8145 Springer Berlin Heidelberg, Germany 2013
Standards and related documents
- Web Cryptography API Use Cases, Web Cryptography WG (Arun Ranganathan, ed.), W3C Working Group Note, W3C, http://www.w3.org/TR/2013/NOTE-webcrypto-usecases-20130910/
- WebCrypto Key Discovery, Web Cryptography WG (Mark Watson, ed.), W3C Working Draft, W3C, http://www.w3.org/TR/2013/WD-webcrypto-key-discovery-20130822/
- Web Cryptography API, Web Cryptography WG (David Dahl, Ryan Sleevi, eds.), W3C Working Draft, http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/
- Content Security Policy 1.1, Web Application Security WG (Adam Barth, Dan Veditz, Mike West, eds.), W3C Working Draft, W3C, 2013, http://www.w3.org/TR/2013/WD-CSP11-20130604/
- User Interface Security Directives for Content Security Policy, Web Application Security WG (Giorgio Maone, David Lin-Shung Huang, Tobias Gondrom, Brad Hill, eds.), W3C Working Draft, W3C, http://www.w3.org/TR/2013/WD-UISecurity-20130523/
- Runtime and Security Model for Web Applications, System Applications WG (Mounir Lamouri, 金明 (Ming Jin), eds.), W3C Working Draft, http://www.w3.org/TR/2013/WD-runtime-20130321/
- Cross-Origin Resource Sharing, Web Applications WG, Web Application Security WG (Anne van Kesteren, ed.), W3C Candidate Recommendation, W3C, http://www.w3.org/TR/2013/CR-cors-20130129/
- Content Security Policy 1.0, Web Application SecurityWG (Brandon Sterne, Adam Barth, eds.), W3C Candidate Recommendation, W3C, http://www.w3.org/TR/2012/CR-CSP-20121115/
- WebRTC 1.0: Real-time Communication Between Browsers, Web Real-Time Communications WG (Adam Bergkvist, Daniel C. Burnett, Cullen Jennings, Anant Narayanan, eds.), W3C Working Draft, W3C, http://www.w3.org/TR/2013/WD-webrtc-20130910/
- Written by Bert Bos
A few recent publications, which are not (co-)written by STREWS, but may be of interest to the STREWS community.
Study on cryptographic protocols – by ENISA
ENISA (the EU agency for network and information security) published a report on cryptographic protocols. The protocols studied are lower-level protocols, such as TLS, SSH, UMTS and Bluetooth. Higher level protocols, such as HTTP, ofen pass over connections established by such lower-level protocols.
The study especially looks at the way cryptographic methods are used in those protocols, because cryptography that is mathematically strong can easily be applied incorrectly: The same algorithms that works in one protocol can thus fail to protect data in another, or provide only weak protection. The error may be due to bugs in implementations (e.g. the heartbleed bug), but the report looks more specifically at design errors in the protocol (e.g., the padding weakness in SSLv3).
IAB Statement on Internet Confidentiality – by the IAB
The IAB (Internet Architcture Board) published a statement in which it talks about the threats of pervasive monitoring and recommends that all new protocols, at all levels, should use encryption. Encryption combined with authentication is best, but even without authentication, encryption already increass the cost for eavesdroppers. The danger of not taking that route is that the trust of people in networks, already degraded, will degrade even more.
This statement is of course an echo of the STRINT workshop (the joint W3C/IAB workshop organized by STREWS in February 2014), one of the conclusions was exactly that: a recommendation to standards organizations such as IETF and W3C to adopt a policy of encryption everywhere.
Security Collapse in the HTTPS Market – by A. Arnbak et al.
Those problems aren't new: The article discusses security breaches that all occurred before 2012 and risks that have been known in the IETF and security research communities for some time. One such problem is the fact that any Certificate Authority (CA) can issue certificates for any domain, even if another CA already issued one earlier. Thus, a single bad CA can put the whole Web at risk.
But the fact that the issues are known doesn't mean the underlying weaknesses in the system have been solved. (That is also the reason they came up again at the STRINT workshop last February.)
The article lists the social and economic reasons why the system is difficult to change. It looks at various attempts by governments to regulate CAs and at some proposed technological solutions, such as Google's Certificate Transparency, but it concludes that the system resists change. The risks to Web security remain high. They even got higher, after the Snowden revelations.
(For some reactions on & criticism of the paper, see the comments on Bruce Schneier's blog.)