- From: Stefano Calzavara <calzavara@dais.unive.it>
- Date: Fri, 12 Apr 2019 09:23:46 +0200
- To: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAGVWdyUkYCb13KbeMheynaFB9hHWWEpyp8oV4+C1pmHzrr_NRA@mail.gmail.com>
Hi, WebAppSec! Inspired by a few lines by Emily Stark in the recent discussion on high-risk non-secure downloads, I thought it would be interesting to share our upcoming research on the state of the HTTPS deployment in the wild. Our paper, which is going to be presented at IEEE S&P in May, shows how a few TLS vulnerabilities can propagate to top-tier sites though content inclusion, sub-domains and tracking libraries. I think this is perfectly in line with Emily's quote: "There's no point moving everyone to HTTPS if it has holes everywhere, and I think now is the time to start thinking about closing some of the holes". The paper might be of interest to browser vendors, since the solution to the problems reported there is not obvious, but I think the paper is accessible to a large audience of web security practitioners. Please find it attached, any comment or feedback would be welcome, also via personal channels. Regards. *Stefano Calzavara* Assistant professor Università Ca' Foscari Venezia https://www.dais.unive.it/~calzavara
Attachments
- application/pdf attachment: oakland19.pdf
Received on Friday, 12 April 2019 07:24:25 UTC