| Thursday February 25 | All times in PST |
|---|---|
| 7:30am - 8:00am | Welcome and Introductory Remarks |
| 8:00am - 9:00am | Abstract: Over the past decade, HTTPS adoption has risen dramatically. The Web PKI has shifted seismically, with browsers imposing new requirements on CAs and server operators. These shifts bring security and privacy improvements for end users, but they have often been driven by incompatible browser changes that break websites, causing frustration for end users as well as server operators. Security-positive breaking changes involve a plethora of choices. Should browsers roll out a change gradually, or rip the band-aid off and deploy it all at once? How do we advertise the change and motivate different players in the ecosystem to update configurations before they break? How do different types and amounts of breakage affect the user experience? And the meta-question: how do we approach such quandaries scientifically? Drawing from several case studies in the HTTPS ecosystem, I'll talk about the science of nudging an ecosystem: methods that the web browser community has developed, and lessons we've learned, for measuring how best to get millions of websites to improve security while minimizing the frustrations of incompatibility. |
| 9:00am - 10:30am | Session 1: Tales of Browser Security Session chair: Cristian-Alexandru Staicu |
| HTTPS-Only: Upgrading all connections to https: in Web Browsers (a preprint) C. Kerschbaumer, J. Gaibler, A. Edelstein, T. van der Merwe (Best Paper Award) |
|
| WITHDRAWN First, Do No Harm: Studying the manipulation of security headers in browser extensions S. Agarwal, B. Stock (NOTE: The authors of this paper found critical errors in their methodology after it was presented and published at the workshop and asked to withdraw the paper from the proceedings. As such, in the current version, we mark the paper as incorrect to help future research not repeating the same mistakes. We hope the authors will repeat their measurements with a fixed approach in future.) |
|
| CROW: Code Diversification for WebAssembly (a preprint) J. Cabrera Arteaga, O. Floros, O. Vera Pérez, B. Baudry, M. Monperrus |
|
| Panel with the authors | |
| 10:30am - 12:00pm | Session 2: To the Network Level and Beyond Session chair: Peter Snyder |
| Comparative Analysis of the DoT with HTTPS Certificate Ecosystems (a preprint) A. Sadeghi Jahromi, A. Abdou |
|
| Empirical Scanning Analysis of Censys and Shodan (a preprint) C. Bennett, A. Abdou, P. van Oorschot |
|
| Detecting Tor Bridge from Sampled Traffic in Backbone Networks (a preprint) H. Wu, S. Guo, G. Cheng, X. Hu |
|
| Panel with the authors | |
| 12:00pm - 12:30pm | Lunch Break |
| 12:30pm - 1:30pm | Abstract: Since the dawn of the web miscreants have used this new communication medium to defraud unsuspecting users. The most common of these attacks is phishing: creating a fake login form to steal username/passwords for high-value targets such as email, social networking, or financial services. This seemingly low-skill attack still, to this day, is responsible for vast amounts of fraud and harm. In this talk, I will cover the history of the cat-and-mouse game of phishing, touching on why, after more than a decade of research, phishing attacks are still the most common ways that end-users are directly victimized and attacked. We will discuss the advanced nature of server-side cloaking employed by phishers, as well as the PhishFarm framework which allows us to empirically measure the effect of cloaking techniques on browser-based blocking. Then, we will discuss the first end-to-end measurement of a phishing timeline: from a phishing website being deployed to credentials being used fraudulently. Finally, we'll discuss how phishers have adapted to the COVID-19 pandemic and the next generation of sophisticated phishing attacks. |
| 1:30pm - 3:00pm | Session 3: The New Attacks Session chair: Phani Vadrevu |
| An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections (a preprint) T. Ren, A. Wittman, L. De Carli, D. Davidson (Best Paper Runner-Up) |
|
| What Remains Uncaught?: Characterizing Sparsely Detected Malicious URLs on Twitter (a preprint) S. Roy, U. Karanjit, S. Nilizadeh |
|
| A First Look at Scams on YouTube (a preprint) E. Bouma-Sims, B. Reaves (Best Paper Runner-Up) |
|
| Panel with the authors | |
| 3:00pm - 3:30pm | Concluding Remarks and Best Paper Award |