Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2025
Call for Papers
The web connects billions of devices, running a plethora of clients, and serves billions of users every day. To cope with such a widespread adoption, the web constantly changes. This is evident by some browsers that have a release cycle of just six weeks. Unfortunately, these rapid changes are not always designed with a security mindset, resulting in new attack vectors not observed before.
The MADWeb workshop aims to attract researchers who work on the intersection of browser evolution and web security. Our goal is to create and sustain a specialized venue for discussing any aspects of web security and privacy, such as the rapid changes to browsers from a security perspective, the security implications of current web technologies, how we can protect users now, and make browsers in the future more secure without hindering the evolution of the web.
Since MADWeb merged with the SecWeb workshop in 2025, we welcome ideas on extending the web with novel security mechanisms, better access interfaces (browsers), and disciplined programming abstractions to support secure web application development natively. Moreover, we invite contributions that propose provocative thoughts on re-envisioning (part of) the current web platform with security built-in by design.
We welcome work in progress and encourage junior researchers to explore new ideas before publication at a major security conference. We select papers based on their technical contributions and their potential to spark interesting discussions at MADWeb.
We currently accept (self-) nominations for the MADWeb 2025 PC. Please, fill this form to nominate yourself or someone else. The deadline to submit the form is Friday, November 1, 2024.
Our social media contacts are:
Please use the official hashtag #MADWeb for any public posts related to the workshop.
Important Dates
- Paper submission:
Thursday January 9Tuesday January 14, 2025 Anywhere-on-earth (AOE) - Acceptance notification: Thursday, January 30, 2025
- Artifact submission deadline (only for accepted papers): Friday February 7, 2025 (AOE)
- Camera-ready deadline: Friday February 14, 2025
- Workshop date: Friday February 28, 2025 (co-located with NDSS 2025)
Program
| Friday February 28, 2025 Times in PT (UTC-8) | |
|---|---|
| 8:00 - 12:00 | Registration |
| 8:00 - 9:00 | Breakfast |
| 9:00 - 9:05 | Welcome and Opening Remarks |
| 9:05 - 10:05 | Abstract: In this talk, we take a step back and argue that many varied and seemingly unrelated attacks on the web are actually symptoms of one deeper problem that has existed since the web's inception. Whether it is attacks due to expired domain names, cloaking done by malicious websites, malvertising, or even our growing distrust of the news can be largely attributed back to the issue of stateless linking. Stateless linking refers to the absence of any integrity guarantees between the time that a link for a remote resource was created, to a future time when this link is resolved by web clients. We draw on 10+ years of research to demonstrate how stateless linking and the resulting lack of content integrity is the true culprit for many of our past, current, and likely future web problems. Successfully tackling this one really challenging problem, has the potential of solving many of our web woes. |
| 10:05 - 10:20 | Morning Break |
| 10:20 - 12:00 | Session 1: Network Meets the Web |
| SNITCH: Leveraging IP Geolocation for Active VPN Detection Tomer Schwartz, Andikan Otung, and Ofir Manor (Fujitsu Research of Europe) |
|
| Can Public IP Blocklists Explain Internet Radiation? Damiano Ravalico, Simone Cossaro (University of Trieste), Rodolfo Valentim (University of Turin), Martino Trevisan (University of Trieste), and Idilio Drago (University of Turin) |
|
| The State of https Adoption on the Web Christoph Kerschbaumer, Frederik Braun, Simon Friedberger, and Malte Jürgens (Mozilla Corporation) |
|
| Security Signals: Making Web Security Posture Measurable At Scale Michele Spagnuolo, David Dworken, Artur Janc, Santiago Díaz, and Lukas Weichselbaum (Google) |
|
| 12:00 - 13:30 | Lunch |
| 13:30 - 15:10 | Session 2: Authentication and Browser Security Session chair: Jianjia Yu (Johns Hopkins University) |
| Five Word Password Composition Policy Sirvan Almasi and William J. Knottenbelt (Imperial College London) |
|
| Evaluating the Strength and Availability of Multilingual Passphrase Authentication Chi-en Tai, Urs Hengartner, and Alexander Wong (University of Waterloo) |
|
| BrowserFM: A Feature Model-based Approach to Browser Fingerprint Analysis Maxime Huyghe (University of Lille), Walter Rudametkin (IRISA / Inria / Univ. Rennes / IUF), and Clément Quinton (University of Lille) |
|
| Towards Anonymous Chatbots with (Un)Trustworthy Browser Proxies Dzung Pham, Jade Sheffey, Chau Minh Pham, and Amir Houmansadr (University of Massachusetts Amherst) |
|
| 15:10 - 15:40 | Afternoon Break |
| 15:40 - 16:40 | In this talk, we will examine web security through the browser's perspective. Various browser features have helped fix transport security issues and increase HTTPS adoption: Encouragements in the form of providing more exciting APIs exclusively to Secure Context or deprecating features (like with Mixed Content Blocking) have brought HTTPS adoption to over 90% in ten years. |
| 16:40 - 17:50 | Session 3: Web3 and Work in Progress |
| DeFiIntel: A Dataset Bridging On-Chain and Off-Chain Data for DeFi Token Scam Investigation Iori Suzuki, Yin Minn Pa Pa, Nguyen Anh Thi Van, and Katsunari Yoshioka (Yokohama National University) |
|
| Work-in-Progress: Detecting Browser-in-the-Browser Attacks from Their Behaviors and DOM Structures Ryusei Ishikawa, Soramichi Akiyama, and Tetsutaro Uehara (Ritsumeikan University) |
|
| Work-in-Progress: Towards Browser-Based Consent Management Gayatri Priyadarsini Kancherla and Abhishek Bichhawat (Indian Institute of Technology Gandhinagar) |
|
| Work-in-Progress: Uncovering Dark Patterns: A Longitudinal Study of Cookie Banner Practices under GDPR (2017-2024) Zihan Qu (Johns Hopkins University), Xinyi Qu (University College London), Xin Shen, Zhen Liang, and Jianjia Yu (Johns Hopkins University) |
|
| 17:50 - 18:00 | Awards and Closing Remarks |
Areas of Interest
Submissions are solicited in, but not limited to, the following areas:
- Fingerprinting and tracking on the web
- Browser security
- Secure browser architectures
- Security and privacy of emerging web technologies
- Security of progressive web apps
- Web authentication and authorization
- Web protocol security
- Security policies for the web
- Language-based web security
- Formal methods for web security
- Measurement studies of online crime, fraud, and underground economies
- Measurement studies of web security & privacy issues
- Privacy-enhancing technologies for the web
- Machine learning and AI applications for a secure web
- Data-driven web security and malware detection
- Anti-phishing technologies
- Detection of bots and crawlers/scrapers
- DNS security and privacy
- Unethical and malicious activity on the web
- Digital forensics for the web
Submission Instructions
All papers must be written in English. Papers must be formatted for US letter size (not A4) paper in a two-column layout, with columns no more than 9.25 in. high and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are strongly encouraged to use the templates provided by NDSS.
We invite both full papers and work-in-progress papers. Full papers should have no more than 10 pages in total (excluding references and appendices). Work-in-progress papers must have less than 6 pages (again, excluding references and appendices), and can discuss work-in-progress and novel ideas. Work-in-progress papers will be selected based on their potential to spark interesting discussions during the workshop and they will not be included in the formal proceedings of the workshop. Note that full papers might be accepted as Work-in-progress if they are deemed as not mature enough but may spark enough discussions at the workshop.
Submissions must be properly anonymized for double-blind review (please follow NDSS guidelines on paper anonymization).
Submission site https://madweb25.hotcrp.com/
Artifact Evaluation
We encourage authors to submit their artifacts for evaluation. The goal of the artifact evaluation is to enable the research community to build on the work presented at the workshop and to ensure the reproducibility of the results. The artifacts can be software, data, or other materials used to produce the results presented in the paper. The artifacts will be evaluated based on their availability, functionality, and reproducibility. The evaluation process will be lightweight and will not affect the acceptance of the paper. Authors of accepted papers will be invited to submit their artifacts for evaluation using the same HotCRP instance used for paper submissions. The outcome of the artifact evaluation will be made available on the workshop website.
Please follow these guidelines for more information on the artifact evaluation.
Workshop Format
MADWeb will be co-located with NDSS 2025. MADWeb will be an on-site event.
One author of each accepted paper is expected to present the paper, in person, at the workshop. The format will be traditional conference-style research presentations with questions from the audience. Interactive and engaging presentations are welcome. As for the previous editions, we plan to give best paper and best presentation awards. Following notification to authors, more information will be provided regarding speaking times and other details.
The accepted papers will be made available on the workshop website and the workshop will have official proceedings. Publication in the proceedings is not mandatory and authors can choose to have their papers excluded from the official proceedings by selecting “No proceedings” during submission in HotCRP.
Program Committee Co-Chairs
- Limin Jia, Carnegie Mellon University
- Marco Squarcina, TU Wien
- Yinzhi Cao, Johns Hopkins University
Program Committee
- Behzad Ousat, Florida International University
- Carl Magnus Bruhner, Linköping University
- Cristian-Alexandru Staicu, CISPA Helmholtz Center for Information Security
- Darion Cassel, Amazon automated reasoning
- Frederik Braun, Mozilla
- Hsu-Chun Hsiao, National Taiwan University
- Jianjia Yu, Johns Hopkins University
- Kailun Yan, Shandong University
- Karel Kubicek, Inria
- Kostas Solomos, University of Illinois Chicago
- Kyungchan Lim, University of Tennessee
- Marius Steffens, Google
- Merve Sahin, SAP
- Ming Xu, National University of Singapore
- Mir Masood Ali, University of Illinois Chicago
- Muhammad Abu Bakar Aziz, Northeastern University
- Musard Balliu, KTH Royal Institute of Technology
- Pedro Adão, Instituto Superior Técnico
- Penghui Li, Columbia University
- Peter Snyder, Brave Software
- Philipp Beer, TU Wien
- Ritik Roongta, New York University
- Samuele Casarin, Università Ca’ Foscari Venezia and Scuola IMT Alti Studi Lucca
- Shuai Hao, Old Dominion University
- Shubham Agarwal, CISPA Helmholtz Center for Information Security
- Simon Koch, TU Braunschweig
- Steven Englehardt, DuckDuckGo
- Tamara Rezk, Inria
- Umar Iqbal, Washington University in St. Louis
- Victor Le Pochat
- Xu Lin, Washington State University
- Yi Han, F5 Networks
- Yohan Beugin, University of Wisconsin–Madison
Steering Committee
- Alexandros Kapravelos, North Carolina State University
- Nick Nikiforakis, Stony Brook University
- Oleksii Starov, Palo Alto Networks
- Roberto Perdisci, University of Georgia
- Zubair Shafiq, University of California, Davis
- Aurore Fass, CISPA Helmholtz Center for Information Security
Sponsors
The MADWeb 2025 best paper award is supported by Palo Alto Networks.
madwebwork.bsky.social
infosec.exchange/@madwebwork
@madwebwork
MADWeb 2025, in cooperation with the NDSS Symposium