SecWeb 2021

Designing Security for the Web

News

August 13, 2021: Please register for EuroS&P as a virtual attendee if you want to take part in the SecWeb workshop

August 11, 2021: For organizational reasons, SecWeb is held jointly with CyberCert. The CyberCert workshop is held from 12 to 13:30, SecWeb starts at 13:30.

May 27, 2021: Given a snafu, we failed to add the link to the HotCRP instance on the page doh. We have extended the deadline by a week to remedy that. Please visit HotCRP to submit your papers!

May 17, 2021: Our date is now fixed for September 6, again in a fully virtualized format. We assume that we will have similar timing as last year (2pm to 7pm, CEST).

April 21, 2021: We can now confirm our second keynote speaker: Nataliia Bielova from Inria's Privatics team.

February 25, 2021: We are happy to announce of first keynote speaker: Christoph Kerschbaumer from Mozilla!

February 25, 2021: This year, SecWeb will feature a mentoring program for junior members of the community to be exposed to the reviewing process. If you are a student working on Web security or are the supervisor of students working on Web Security, please reach out via email to us (chairs(at)secweb(dot)work) to indicate interest.

February 22, 2021: We'll have a second edition of SecWeb, again co-located with EuroS&P!. We are also releasing a preliminary CfP today.

SecWeb Reviewing Mentoring

Reviewing is hard, constructive reviewing even more so. For SecWeb, we therefore will have a mentoring program for junior members of the community. We will invite a limited number of students in the area of Web security into the PC and each junior member will have a mentor which whom to discuss their reviews. In this way, junior community members are exposed to the reviewing and discussion process, while also benefiting from the experience and insights of more senior reviewers. If you or your students are interested in this, write an email to chairs(at)secweb(dot)work by March 15 to indicate your (or your students') interest.

What is SecWeb?

Back in the days, the Web was not designed with security or privacy in mind. Many key mechanisms we rely on today for critical functionality were arguably not designed for security (such as cookies for authentication purposes) and numerous mechanisms have been piecemeal retrofitted to the Web to add security to it. In this workshop, we want to move away from augmenting the Web with Security and rather design Security for the Web.



Aim & Scope

The Web has become the key access point to a plethora of security-sensitive services, which we use on a daily basis, yet it was not designed with security in mind. Over the years, this has led to many security mechanisms which were piecemeal retrofit to not cause breakage to existing web applications. The goal of the SecWeb workshop is therefore twofold: we want to collect ideas on how the Web could be extended with novel security mechanisms, better access interfaces (browsers) and disciplined programming abstractions, so as to natively support secure web application development. Moreover, we also invite in particular contributions which aim to redesign parts of the ecosystem, so as not to be stuck on a patchwork of security on the Web, but rather have security built-in by design.

Besides traditional Web security papers, SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current web platform could be heavily re-envisioned for security. Such proposals often do not fit major computer security conferences, because their real-world deployment might be complicated, yet they have value for the web security community, since they advance the understanding of relevant web security problems, their root causes and the design space of possible solutions. Ideally, we expect well-thought proposals accepted at SecWeb to be excellent starting points for discussion with browser vendors (which we explicitly envision as participants) and/or major players of the Web market, who have the commitment and the resources to convert academic proposals into reality.

Program 2021

The workshop is set for September 6, 2021. SecWeb is joined by the CyberCert workshop. To attend, please register for EuroS&P.

12:00 - 12:05 CyberCert Opening Remarks Philippe Massonet (CETIC)
Tobias Fiebig (TU Delft)
12:05 - 12:30 Keynote: Challenges in building cybersecurity certification schemes and how it interacts with research and standardization Eric Vetillard, ENISA
12:30 - 12:50 Towards Cybersecurity MOOC Certification Matthias Beckerle, Argyro Chatzopoulou, and Simone Fischer-Hübner
12:50 - 13:10 Incremental Common Criteria Certification Processes using DevSecOps Practices Philippe Massonet, Sébastien Dupont, Guillaume Ginis, Christophe Ponsard, Mirko Malacario, Claudio Porretti and Nicolò Maunero
13:10 - 13:20 MEDINA: Security framework for cloud service providers to achieve a continuous audit-based certification Leire Orue-Echevarria Arrieta, Christian Banse, Juncal Alonso Ibarra, Luna Garcia Jesus, Fabio Martinelli and Artsiom Yautsiukhin
13:20 - 13:30 Questions and Answers, CyberCert Closing Remarks Philippe Massonet (CETIC)
Tobias Fiebig (TU Delft)
13:30 - 13:40 SecWeb Opening Remarks Stefano Calzavara (Università Ca' Foscari Venezia)
Ben Stock (CISPA Helmholtz Center for Information Security)
13:40 - 14:20 Keynote: Web tracking, consent pop-ups and dark patterns: legal and technical perspectives
As millions of users browse the Web on a daily basis, they become producers of data that are continuously collected by numerous companies and agencies. Website owners, however, need to become compliant with recent EU privacy regulations (such as GDPR and ePrivacy) and often rely on consent pop-ups to either inform users or collect their consent to tracking.

This talk delves into the subject of compliance of tracking technologies and consent pop-ups with the GDPR and ePrivacy Directive, and offers a multi-disciplinary discourse from legal, technical and even design perspective. We present our recent works on detection of Web tracking, compliance of consent pop-ups, and identification of gaps between law, design and technology when dark patterns are used in consent pop-ups.

This talk covers our recent publication in computer science, law and human-computer interaction domains:

Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Cristiana Santos, Nataliia Bielova and Célestin Matte.
International Journal on Technology and Regulation (TechReg), 2020.

Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels Imane Fouad, Nataliia Bielova, Arnaud Legout, Natasa Sarafijanovic-Djukic. Privacy Enhancing Technologies 2020.

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework Célestin Matte, Nataliia Bielova, Cristiana Santos. IEEE Symposium on Security and Privacy 2020.

Purposes in IAB Europe's TCF: which legal basis and how are they used by advertisers? Célestin Matte, Cristiana Santos, Nataliia Bielova.Annual Privacy Forum 2020.

Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective
Colin M. Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, Damian Clifford. ACM Conference on Human Factors in Computing Systems 2021 Honorable Mention.
Nataliia Bielova (Inria)
Nataliia Bielova is a Research Scientist at Privatics team in Inria (France), where she started an interdisciplinary research in Computer Science and EU Data Protection Law. Her main research interests are measurement, detection and protection from Web tracking. She continuously collaborates with researchers in Law to understand how GDPR and ePrivacy Regulation can be enforced in Web applications, and with researchers in Design to analyze and detect dark patterns in consent collection mechanisms on the Web.

Nataiia Bielova earned a PhD in Computer Science from the University of Trento (Italy) in 2011. She obtained an interdisciplinary personal project ANR PrivaWeb in 2018, received an Inria PEDR Award for PhD supervision and research in 2017 and 2021. Nataiia Bielova has been a recognised member of an emerging interdisciplinary research between legal scholars and computer scientists in privacy protection. She is a co-founder of the first Dagstuhl seminar on Online privacy and Web Transparency in 2017, a co-president of CNIL-Inria Privacy Protection Award in 2019 and 2020, and a member of Casper Bowden PETs Award commitee in 2020. Nataliia Bielova has also significantly contributed to the Privacy education of general public: she co-authored the Massive Open Online Course on Privacy protection that has been followed by over 43,000 French-Speaking participants in 2018-2020.

More info on her Web page
14:20 - 14:30 Break
14:30 - 14:50 EssentialFP: Exposing the Essence of Browser Fingerprinting Alexander Sjösten (TU Wien & Chalmers University of Technology), Daniel Hedin (Mälardalen University & Chalmers University of Technology), Andrei Sabelfeld (Chalmers University of Technology)
14:50 - 15:10 Think Before You Type: A Study of Email Exfiltration Before Form Submissions Asuman Şenol (KU Leuven), Gunes Acar (KU Leuven), Mathias Humbert (armasuisse)
15:10 - 15:30 Understanding Cross-site Leaks and Defenses Tom Van Goethem (KU Leuven), Iskander Sanchez-Rola (Norton Research Group), David Dworken (Google), Wouter Joosen (KU Leuven)
15:30 - 15:50 Break
15:50 - 16:10 Work in progress: Exploring Deceptive Affiliate Marketing Victor Le Pochat (KU Leuven), Tom Van Goethem (KU Leuven), Wouter Joosen (KU Leuven)
16:10 - 16:30 A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence Luca Compagna (SAP Labs France), Hugo Jonker (Radboud University Nijmegen + Open University Netherlands), Benjamin Krumnow (TH Köln + Open University Netherlands), Merve Sahin (SAP Labs France), J. Maximilian Kroschewski
16:30 - 16:50 Adopting Trusted Types in Production Web Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study Pei Wang (Google), Bjarki Ágúst Guðmundsson (Google) , Krzysztof Kotowicz (Google)
16:50 - 17:10 JSONPS: Secure an inherently insecure practice with this one weird trick! Sebastian Lekies (Google), Damien Engels (Google), Metodi Mitkov (Saarland University)
17:10 - 17:30 Break
17:30 - 18:00 Keynote: The Road to a secure Web
The Hypertext Transfer Protocol, generally displayed as http in a browsers address-bar, is the fundamental protocol through which web browsers and websites communicate. However, data transferred by the regular http protocol is unprotected and transferred in cleartext, such that attackers are able to view, steal, or even tamper with the transmitted data.

Carrying http over the Transport Layer Security (TLS) protocol, generally displayed as https in the address-bar of a browser, fixes this security shortcoming by creating a secure and encrypted connection between the browser and the website.

Over the past few years we have witnessed tremendous progress towards migrating the web to rely on https instead of the outdated and insecure http protocol. Within this talk we will highlight initiatives from browser vendors as well as community efforts to accelerate the migration from http to https. We will conclude by answering the question of how much further we have to continue on this road to reach our destination: a secure Web.
Christoph Kerschbaumer (Mozilla)
Christoph manages Security Infrastructure Engineering at Mozilla and has over a decade of experience in Secure Systems Development. His work ranges from designing secure systems with fail safe defaults to fighting cross site scripting as well as preventing man-in-the-middle attacks.

Christoph received his PhD in Computer Science from the University of California, Irvine where he based his research on information flow tracking techniques within web browsers.

Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.

More info on his Web page
18:00 - 19:00 Panel "Quo Vadis, Secure Web?" with: Nataliia Bielova (INRIA), Frederik Braun (Mozilla), Martin Johns (TU Braunschweig), Emily Stark (Google), Mary Ellen Zurko (MIT Lincoln Laboratory) Moderation: Nick Nikiforakis (Stony Brook University)

Logistics & Dates

SecWeb 2021 is co-located with IEEE EuroS&P 2021 and scheduled for September 6, 2021.

Important Dates

  • Paper submissions due: May 28 June 11, 2021 (15:59 CET) via HotCRP
  • Notification to authors: July 2, 2021
  • Camera-ready deadline for accepted papers: July 16, 2021

Call for Papers

All papers discussing Web security and Web privacy aspects are solicited for submission. SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current Web platform could be heavily re-envisioned for security. This explicitly includes proposals that would break today’s Web to improve its security tomorrow.

Topics of interest include, but are not limited to, the following:

  • Browser security
  • Formal methods for Web security
  • Language-based Web security
  • Security policies for the Web
  • Usable Web security
  • Web application firewalls
  • Web attacks and defenses
  • Web authentication and authorization
  • Web protocol security
  • Web security architectures
  • Web tracking and online advertisement

Reviewing and Publication Process

SecWeb solicits both full and short papers. All papers must be written in English and must not exceed 10 pages (full) and 6 pages (short) in A4 format using the IEEE conference proceeding template (excluding bibliography and well-marked appendixes). Submissions must be in PDF format and should print easily on simple default configurations. Submissions are anonymous, so information that might identify the authors must be excluded. It is the authors' responsibility to ensure that their anonymity is preserved when citing their own work. Failures to adhere to these requirements can be grounds for rejection.

The proceedings will be published by the IEEE after the workshop and will be made available in IEEE Xplore. During submission, authors can choose to have their paper excluded from the proceedings. At least one author of each accepted paper must register to the workshop for presentation.

All submissions considered for inclusion in the proceedings must contain an original contribution. That is, these papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. In particular, simultaneous submission of the same work is not allowed. This requirement is relaxed for submissions which will not be included in the proceedings: in particular, we also invite papers that are currently under submission or planned to be submitted before the SecWeb notification.

Program Committee

  • Stefano Calzavara (Università Ca' Foscari Venezia) -- Chair
  • Ben Stock (CISPA Helmholtz Center for Information Security) -- Chair
  • Adam Oest (Paypal)
  • Alexandros Kapravelos (NC State)
  • Alvaro Feal (IMDEA, Mentee)
  • Aurore Fass (CISPA Helmholtz Center for Information Security)
  • Babak Amin Azad (Stony Brook, Mentee)
  • Devdatta Akhawe (Figma)
  • Emily Stark (Google)
  • Frederik Braun (Mozilla)
  • Gertjan Franken (KU Leuven, Mentee)
  • Gunes Acar (KU Leuven)
  • Hugo Jonker (Open University)
  • John Wilander (Apple)
  • Katharina Krombholz (CISPA Helmholtz Center for Information Security)
  • Kostas Solomos (UIC, Mentee)
  • Lorenzo Veronese (TU Wien, Mentee)
  • Luca Compagna (SAP)
  • Marco Squarcina (TU Wien)
  • Marius Musch (TU Braunschweig, Mentee)
  • Merve Sahin (SAP)
  • Muhammad Ikram (Macquarie University)
  • Nick Nikiforakis (Stony Brook)
  • Pierre Laperdrix (CNRS)
  • Sebastian Lekies (Google)
  • Sebastian Roth (CISPA Helmholtz Center for Information Security, Mentee)
  • Sooel Son (KAIST)
  • Tamara Rezk (INRIA)
  • Tom Van Goethem (KU Leuven)
  • Veelasha Moonsamy (Ruhr University Bochum)
  • Victor Le Pochat (KU Leuven, Mentee)
  • William Robertson (Northeastern)
  • Yana Dimova (KU Leuven, Mentee)
  • Yinzhi Cao (Johns Hopkins)
  • Zhenkai Liang (NUS)