Designing Security for the Web
February 24, 2022: We have extended the deadline to March 1st. Please visit HotCRP to submit your papers!
January 28, 2022: We are glad to announce our two keynote speakers: Adam Doupé and John Wilander. We will follow up with full details about their talks!
January 11, 2022: After its success last year, SecWeb will again feature a mentoring program for junior members of the community to be exposed to the reviewing process. If you are a student working on Web security and you want to volunteer, you can apply here up to January 17.
December 5, 2021: SecWeb is moving to Oakland! For 2022, it will be jointly held with IEEE S&P in San Francisco on May 26, 2022.
Back in the days, the Web was not designed with security or privacy in mind. Many key mechanisms we rely on today for critical functionality were arguably not designed for security (such as cookies for authentication purposes) and numerous mechanisms have been piecemeal retrofitted to the Web to add security to it. In this workshop, we want to move away from augmenting the Web with Security and rather design Security for the Web.
The Web has become the key access point to a plethora of security-sensitive services, which we use on a daily basis, yet it was not designed with security in mind. Over the years, this has led to many security mechanisms which were piecemeal retrofit to not cause breakage to existing web applications. The goal of the SecWeb workshop is therefore twofold: we want to collect ideas on how the Web could be extended with novel security mechanisms, better access interfaces (browsers) and disciplined programming abstractions, so as to natively support secure web application development. Moreover, we also invite in particular contributions which aim to redesign parts of the ecosystem, so as not to be stuck on a patchwork of security on the Web, but rather have security built-in by design.
Besides traditional Web security papers, SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current web platform could be heavily re-envisioned for security. Such proposals often do not fit major computer security conferences, because their real-world deployment might be complicated, yet they have value for the web security community, since they advance the understanding of relevant web security problems, their root causes and the design space of possible solutions. Ideally, we expect well-thought proposals accepted at SecWeb to be excellent starting points for discussion with browser vendors (which we explicitly envision as participants) and/or major players of the Web market, who have the commitment and the resources to convert academic proposals into reality.
SecWeb 2022 is co-located with IEEE S&P 2022 and scheduled for May 26, 2022.
The following is our tentative schedule for SecWeb 2022 on May 26, 2022.
| 9:00 - 9:10 | SecWeb Opening Remarks | Stefano Calzavara (Universita Ca' Foscari Venezia) Sooel Son (KAIST) |
|---|---|---|
| 09:10 - 10:00 | Keynote: Wild Wild Phish: Phrontiers in the Phight Against Phishing [Slides]
Since the dawn of the web miscreants have used this new communication medium to defraud unsuspecting users. The most common of these attacks is phishing: creating a fake login form to steal username/passwords for high-value targets such as email, social networking, or financial services. This seemingly low-skill attack still, to this day, is responsible for vast amounts of fraud and harm. In this talk, I will cover the history of the cat-and-mouse game of phishing, touching on why, after more than a decade of research, phishing attacks are still the most common ways that end-users are directly victimized and attacked. Then we'll explore the complex mechanisms that phishers use to hide their content from the anti-phishing ecosystem, and how to detect some of these mechanisms. Then, we will discuss weaponizing this "hiding" functionality so that end-users are protected against phishing. Finally, we'll discuss the future of anti-phishing research and the remaining challenges. |
Adam Doupé (Arizona State University) Adam Doupé is an Associate Professor in the School of Computing and Augmented Intelligence at Arizona State University. He is also Director of the Center for Cybersecurity and Trusted Foundations in the Global Security Initiative at Arizona State University and the co-Director of the Laboratory of Security Engineering For Future Computing (SEFCOM). He plays CTFs with Shellphish, and as a Founding Member of the Order of the Overflow hosted the DEF CON CTF (Quals and Finals) from 2018--2021. His research focuses on automated vulnerability analysis, web security, binary analysis, mobile security, network security, underground economies, cybercrime, hacking competitions, and human factors of security. More info on his Web page |
| 10:00 - 10:30 | Coffee Break | |
| 10:30 - 10:50 | To Hash or Not to Hash: A Security Assessment of CSP's Unsafe-Hashes Expression | Peter Stolz (Saarland University & Bitahoy GmbH), Sebastian Roth (CISPA Helmholtz Center for Information Security, Ben Stock (CISPA Helmholtz Center for Information Security) |
| 10:50 - 11:10 | RetroCSP: Retrofitting Universal Browser-Support for CSP [Slides] | Moritz Wilhelm (CISPA Helmholtz Center for Information Security), Sebastian Roth (CISPA Helmholtz Center for Information Security), Ben Stock (CISPA Helmholtz Center for Information Security) |
| 11:10 - 11:30 | A Client-Side Seat to TLS Deployment [Slides] | Moritz Birghan (Mozilla), Thyla van der Merwe (ETH Zurich) |
| 11:30 - 11:50 | Towards Improving the Deprecation Process of Web Features through Progressive Web Security [Slides] | Tom Van Goethem (imec-DistriNet, KU Leuven), Wouter Joosen (imec-DistriNet, KU Leuven) |
| 11:50 - 13:10 | Lunch Break | |
| 13:10 - 13:30 | Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives [Slides] | Merve Sahin (SAP Security Research), Tolga Unlu (Abertay University), Cedric Hebert (SAP Security Research), Lynsay Shepherd (Abertay University), Natalie Coull (Abertay University), Colin McLean (Abertay University) |
| 13:30 - 13:50 | "It builds trust with the customers" - Exploring User Perceptions of the Padlock Icon in Browser UI [Slides] | Emanuel von Zezschwitz (Google Inc.), Serena Chen (Google Inc.), Emily Margarete Stark (Google Inc.) |
| 13:50 - 14:10 | The Bridge between Web Applications and Mobile Platforms is Still Broken [Slides] | Philipp Beer (TU Wien), Lorenzo Veronese (TU Wien), Marco Squarcina (TU Wien), Martina Lindorfer (TU Wien) |
| 14:10 - 14:30 | yoU aRe a Liar://A Unified Framework for Cross-Testing URL Parsers | Dashmeet Kaur Ajmani (North Carolina State University), Igibek Koishybayev (North Carolina State University), Alexandros Kapravelos (North Carolina State University) |
| 14:30 - 15:00 | Coffee Break | |
| 15:00 - 15:50 | Keynote: A Web Safe To Roam
The web is not curated — anyone can publish on the web and no single browser controls how the web works. The web also has universal reach with browsers on nearly every general-purpose computing device. These aspects are fundamental to the nature of the web. But it still needs to be safe to browse around. If people get told they have to constantly watch their back on the web or that it's not safe to click links, we lose. We have to make sure the web is safe to roam to ensure its future as a non-curated, universal platform. Safety comes in many forms. Users don't care *how* their data was stolen, leaked, or used against them. They only care *that* it happened. Just because we as experts divide things into security and privacy doesn't mean either matters more or less to users. They want the web to be safe to roam in a broad sense. |
John Wilander (Apple) John Wilander manages the WebKit Security and Privacy team at Apple. He is deeply involved in security and privacy web standards and has done significant work in privacy-preserving ad measurement to provide alternatives to cross-site tracking. John holds a PhD in Computer Science and his thesis was focused on software security. A few months ago, he published his first novel "Identified," in the genre of hacker fiction. More info on his Web page |
15:50 - 15:55 | Closing Remarks |
All papers discussing Web security and Web privacy aspects are solicited for submission. SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current Web platform could be heavily re-envisioned for security. This explicitly includes proposals that would break today’s Web to improve its security tomorrow.
Topics of interest include, but are not limited to, the following:
SecWeb solicits both full and short papers. All papers must be written in English and must not exceed 10 pages (full) and 6 pages (short) in A4 format using the IEEE conference proceeding template (excluding bibliography and well-marked appendixes). Submissions must be in PDF format and should print easily on simple default configurations. Submissions are anonymous, so information that might identify the authors must be excluded. It is the authors' responsibility to ensure that their anonymity is preserved when citing their own work. Failures to adhere to these requirements can be grounds for rejection.
The proceedings will be published by the IEEE after the workshop and will be made available in IEEE Xplore. During submission, authors can choose to have their paper excluded from the proceedings. At least one author of each accepted paper must register to the workshop for presentation.
All submissions considered for inclusion in the proceedings must contain an original contribution. That is, these papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. In particular, simultaneous submission of the same work is not allowed. This requirement is relaxed for submissions which will not be included in the proceedings: in particular, we also invite papers that are currently under submission or planned to be submitted before the SecWeb notification.
Submissions go to
https://hotcrp2022.secweb-workshop.de/
Reviewing is hard, constructive reviewing even more so. For SecWeb, we therefore will have a mentoring program for junior members of the community. We will invite a limited number of students in the area of Web security into the PC and each junior member will have a mentor which whom to discuss their reviews. In this way, junior community members are exposed to the reviewing and discussion process, while also benefiting from the experience and insights of more senior reviewers. If you or your students are interested in this, fill in the form to indicate your (or your students') interest.