SecWeb 2020

Designing Security for the Web


September 1, 2020: Panelists announced! Please don't forget to register through EuroS&P registration (just 61€!)

August 5, 2020: Program released. Our program will feature five paper presentations, two oral presentations, as well as two keynotes and a panel of experts. Details on the panel will be released soon. To register for the workshop, please sign up at EuroS&P's registration page. Note that one author for each accepted paper needs to sign up as an Workshop Author.

February 27, 2020: HotCRP is temporarily offline due to a necessary hardware change on the hosting machine. Will be back up soon, though :)HotCRP is back online

February 26, 2020: To allow NDSS attendees to spend sufficient time on their submissions, we have postponed the deadline by one week to March 6.

January 28, 2020: Finally, HotCRP is open!

January 21, 2020: Second keynote speaker confirmed: Zubair Shafiq from Iowa State!

January 16, 2020: CfP released.

January 14, 2020: First keynote speaker confirmed: Mike West from Google!

What is SecWeb?

Back in the days, the Web was not designed with security or privacy in mind. Many key mechanisms we rely on today for critical functionality were arguably not designed for security (such as cookies for authentication purposes) and numerous mechanisms have been piecemeal retrofitted to the Web to add security to it. In this workshop, we want to move away from augmenting the Web with Security and rather design Security for the Web.

Aim & Scope

The Web has become the key access point to a plethora of security-sensitive services, which we use on a daily basis, yet it was not designed with security in mind. Over the years, this has led to many security mechanisms which were piecemeal retrofit to not cause breakage to existing web applications. The goal of the SecWeb workshop is therefore twofold: we want to collect ideas on how the Web could be extended with novel security mechanisms, better access interfaces (browsers) and disciplined programming abstractions, so as to natively support secure web application development. Moreover, we also invite in particular contributions which aim to redesign parts of the ecosystem, so as not to be stuck on a patchwork of security on the Web, but rather have security built-in by design.

Besides traditional Web security papers, SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current web platform could be heavily re-envisioned for security. Such proposals often do not fit major computer security conferences, because their real-world deployment might be complicated, yet they have value for the web security community, since they advance the understanding of relevant web security problems, their root causes and the design space of possible solutions. Ideally, we expect well-thought proposals accepted at SecWeb to be excellent starting points for discussion with browser vendors (which we explicitly envision as participants) and/or major players of the Web market, who have the commitment and the resources to convert academic proposals into reality.

Program 2020

Given the full-virtual format of EuroS&P as well as co-located workshops, we have decided to make the workshop accessible to an international audience as best as possible. Aligned with the main conference, our workshop will therefore run from 14:00 to 19:00 CEST on September 11, 2020.

14:00 - 14:10 Opening remarks Stefano Calzavara (Università Ca' Foscari Venezia)
Ben Stock (CISPA Helmholtz Center for Information Security)
14:10 - 14:50 Keynote: The Web we can Ship
Web browsers act as an agent for billions of users on the web today. It's critical that we do our best to create a safe platform, and equally critical that we figure out how to do so without breaking things our users depend upon. Shipping behavioral changes is a tightrope dance of sorts, weighing security and privacy benefits against potentially disruptive side-effects, and planning out strategies for successful deployment at scale. This talk will walk through the approach we're taking in Blink, examining our launch process, pointing to the data sources we care about, and presenting case studies of successful deprecations. (Slides)
Mike West (Google)
14:50 - 15:00 Break
15:00 - 15:20 No Phishing With the Wrong Bait: Reducing the Phishing Risk by Address Separation (Slides) Vincent Drury & Ulrike Meyer (Department of Computer Science, RWTH Aachen University)
15:20 - 15:40 Hardening the Security Landscape of the Firefox Web Browser Christoph Kerschbaumer, Tom Ritter & Frederik Braun (Mozilla Corporation)
15:40 - 16:00 User Access Privacy in OAuth 2.0 and OpenID Connect Wanpeng Li (University of Aberdeen) & Chris J Mitchell (Royal Holloway, University of London)
16:00 - 16:20 The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches in Progressive Web Applications Dolière Francis Somé (CISPA Helmholtz Center for Information Security), Marco Squarcina (TU Wien), Stefano Calzavara (Università Ca' Foscari Venezia), Matteo Maffei (TU Wien)
16:20 - 16:30 Break
16:30 - 16:50 Oh, the Places You’ll Go! Finding our way back from the web platform’s ill-conceived jaunts (Slides) Artur Janc & Mike West (Google)
16:50 - 17:05 Oral Presentation: Using Browser Fingerprinting for Attack Redirection Andrea Palmieri, Cedric Hebert, Merve Sahin & Anderson Santana de Oliviera (SAP Security Research)
17:05 - 17:20 Oral Presentation: DOMQuery: A large-scale Analysis of Browser Extensions' Interactions with Websites Alexander Shevtsov (University of Crete (ICS-FORTH), Alexandros Kapravelos (North Carolina State University), Sotiris Ioannidis (ICS-FORTH)
17:20 - 18:00 Keynote: The Next Frontier in Online Privacy
While online advertising supports the "free" web, it relies on a complex and opaque tracking ecosystem that surveils users across the web. Millions of users rely on privacy-enhancing ad-blocking and anti-tracking tools to counter the negative externalities of online advertising and tracking. Perhaps unsurprisingly, advertisers and trackers are posturing against the users of such tools -- prompting an arms race. This talk will discuss the pain points of state-of-the-art privacy-enhancing tools in keeping up in this escalating arms race. The talk will also highlight the challenges and opportunities in using machine learning to address these pain points.
Zubair Shafiq (UC Davis)
Zubair Shafiq is an associate professor of computer science at the University of California, Davis. His research focuses on building privacy-enhancing tools to counter online tracking and surveillance. More broadly, his work takes a data-driven approach to addressing emerging online privacy and security threats. More information at
18:00 - 18:10 Break
18:10 - 19:00 Panel: Designing Security for the Web. Moderation: Devdatta Akhawe (Figma)
Panelists: Mary Ellen Zurko (MIT Lincoln Laboratory), Andrei Sabelfeld (Chalmers), Christoph Kerschbaumer (Mozilla), Zubair Shafiq (UC Davis), Mike West (Google)

Logistics & Dates

SecWeb 2020 is co-located with IEEE EuroS&P 2020 in Genova, Italy, held virtually online as a post-conference workshop on September 11, 2020.

Important Dates

  • Paper submissions due: February 28, 2020 March 6, 2020 (23:59 CET) via HotCRP
  • Notification to authors: April 9, 2020
  • Camera-ready deadline for accepted papers: April 24, 2020

Call for Papers

All papers discussing Web security and Web privacy aspects are solicited for submission. SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current Web platform could be heavily re-envisioned for security. This explicitly includes proposals that would break today’s Web to improve its security tomorrow.

Topics of interest include, but are not limited to, the following:

  • Browser security
  • Formal methods for Web security
  • Language-based Web security
  • Security policies for the Web
  • Usable Web security
  • Web application firewalls
  • Web attacks and defenses
  • Web authentication and authorization
  • Web protocol security
  • Web security architectures
  • Web tracking and online advertisement

Reviewing and Publication Process

SecWeb solicits both full and short papers. All papers must be written in English and must not exceed 10 pages (full) and 6 pages (short) in A4 format using the IEEE conference proceeding template (excluding bibliography and well-marked appendixes). Submissions must be in PDF format and should print easily on simple default configurations. Submissions are anonymous, so information that might identify the authors must be excluded. It is the authors' responsibility to ensure that their anonymity is preserved when citing their own work. Failures to adhere to these requirements can be grounds for rejection.

The proceedings will be published by the IEEE after the workshop and will be made available in IEEE Xplore. During submission, authors can choose to have their paper excluded from the proceedings. At least one author of each accepted paper must register to the workshop for presentation.

All submissions considered for inclusion in the proceedings must contain an original contribution. That is, these papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. In particular, simultaneous submission of the same work is not allowed. This requirement is relaxed for submissions which will not be included in the proceedings: in particular, we also invite papers that are currently under submission or planned to be submitted before the SecWeb notification.

Program Committee

  • Stefano Calzavara (Università Ca' Foscari Venezia) -- Chair
  • Ben Stock (CISPA Helmholtz Center for Information Security) -- Chair
  • Gunes Acar (KU Leuven)
  • Devdatta Akhawe (Dropbox)
  • Yinzhi Cao (Johns Hopkins)
  • Luca Compagna (SAP)
  • Adam Doupé (Arizona State University)
  • Hugo Jonker (Open University)
  • Christoph Kerschbaumer (Mozilla)
  • Katharina Krombholz (CISPA Helmholtz Center for Information Security)
  • Sebastian Lekies (Google)
  • Nick Nikiforakis (Stony Brook)
  • Giancarlo Pellegrino (CISPA Helmholtz Center for Information Security)
  • Tamara Rezk (INRIA)
  • William Robertson (Northeastern)
  • Andrei Sabelfeld (Chalmers)
  • Emily Stark (Google)
  • Mauro Tempesta (TU Wien)
  • John Wilander (Apple)