Standards and related documents


  • Cookieless monster: Exploring the ecosystem of web-based device fingerprinting, Nick Nikiforakis, IEEE Symposium on Security and Privacy 2013, 19-22 May 2013, IEEE Computer SocietyWashington,
  • You are what you include: large-scale evaluation of remote javascript inclusions, Nick Nikiforakis and Steven Van Acker, ACM CCS 2012, 16-18 October 2012 ACM, New York 2012,
  • FlowFox: a web browser with flexible and precise information flow control, Willem De Groef, ACM CCS 2012, 16-18 October 2012, ACM New York 2012,
  • JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications, Pieter Agten and Steven Van Acker, ACSAC 2012, 3-7 December 2012, ACM, New York 2012,
  • Bitsquatting: Exploiting bit-flips for fun, or profit, Nick Nikiforakis and Steven Van Acker, WWW 2013, 13-17 May 2013, IW3C2 Geneva 2013
  • Web Application Security (Dagstuhl Seminar 12401), Lieven Desmet and Martin Johns, Dagstuhl reports, 1-5 October 2012, Dagstuhl Wadern 2013,
  • TabShots: Client-side detection of tabnabbing attacks, Philippe De Ryck and Nick Nikiforakis, AsiaCCS 2013, 8-13 May 2013 ACM, New York 2013,
  • Improving the security of session management in web applications, Philippe De Ryck, OWASP, AppSec EU 2013, 22-23 August 2013 OWASP Hamburg
  • Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures, Nick Nikiforakis, PhD Thesis, 30 August 2013, KU Leuven, Leuven 2013
  • BetterAuth: Web Authentication Revisited, Martin Johns, Sebastian Lekies, Bastian Braun, and Benjamin Flesch, Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12), Annually ACM New York, NY, USA 2012
  • PreparedJS: Secure Script-Templates for JavaScript, Martin Johns, Lecture Notes in Computer Science: Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '13), LNCS, Volume 7967, Springer Berlin Heidelberg, Germany 2013
  • Eradicating DNS Rebinding with the Extended Same-Origin Policy, Martin Johns, Sebastian Lekies, Ben Stock, Proceeding, SEC'13 Proceedings of the 22nd USENIX conference on Security Annually USENIX Association Berkeley, CA, USA 2013
  • Tamper-resistant LikeJacking Protection, Martin Johs, Sebastian Lekies, 16th International Symposium, RAID 2013, Rodney Bay, St. Lucia, October 23-25, 2013. Proceedings LNCS, Volume 8145 Springer Berlin Heidelberg, Germany 2013

Standards and related documents

A few recent publications, which are not (co-)written by STREWS, but may be of interest to the STREWS community.

Study on cryptographic protocols – by ENISA

ENISA (the EU agency for network and information security) published a report on cryptographic protocols. The protocols studied are lower-level protocols, such as TLS, SSH, UMTS and Bluetooth. Higher level protocols, such as HTTP, ofen pass over connections established by such lower-level protocols.

The study especially looks at the way cryptographic methods are used in those protocols, because cryptography that is mathematically strong can easily be applied incorrectly: The same algorithms that works in one protocol can thus fail to protect data in another, or provide only weak protection. The error may be due to bugs in implementations (e.g. the heartbleed bug), but the report looks more specifically at design errors in the protocol (e.g., the padding weakness in SSLv3).

IAB Statement on Internet Confidentiality – by the IAB

The IAB (Internet Architcture Board) published a statement in which it talks about the threats of pervasive monitoring and recommends that all new protocols, at all levels, should use encryption. Encryption combined with authentication is best, but even without authentication, encryption already increass the cost for eavesdroppers. The danger of not taking that route is that the trust of people in networks, already degraded, will degrade even more.

This statement is of course an echo of the STRINT workshop (the joint W3C/IAB workshop organized by STREWS in February 2014), one of the conclusions was exactly that: a recommendation to standards organizations such as IETF and W3C to adopt a policy of encryption everywhere.

Security Collapse in the HTTPS Market – by A. Arnbak et al.

This article (also as PDF) in ACM Queue of September looks at some problems with the certificate system underlying TLS, and thus HTTPS.

Those problems aren't new: The article discusses security breaches that all occurred before 2012 and risks that have been known in the IETF and security research communities for some time. One such problem is the fact that any Certificate Authority (CA) can issue certificates for any domain, even if another CA already issued one earlier. Thus, a single bad CA can put the whole Web at risk.

But the fact that the issues are known doesn't mean the underlying weaknesses in the system have been solved. (That is also the reason they came up again at the STRINT workshop last February.)

The article lists the social and economic reasons why the system is difficult to change. It looks at various attempts by governments to regulate CAs and at some proposed technological solutions, such as Google's Certificate Transparency, but it concludes that the system resists change. The risks to Web security remain high. They even got higher, after the Snowden revelations.

(For some reactions on & criticism of the paper, see the comments on Bruce Schneier's blog.)