W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2019

Large-scale analysis of TLS vulnerabilities

From: Stefano Calzavara <calzavara@dais.unive.it>
Date: Fri, 12 Apr 2019 09:23:46 +0200
Message-ID: <CAGVWdyUkYCb13KbeMheynaFB9hHWWEpyp8oV4+C1pmHzrr_NRA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hi, WebAppSec!

Inspired by a few lines by Emily Stark in the recent discussion on
high-risk non-secure downloads, I thought it would be interesting to share
our upcoming research on the state of the HTTPS deployment in the wild. Our
paper, which is going to be presented at IEEE S&P in May, shows how a few
TLS vulnerabilities can propagate to top-tier sites though content
inclusion, sub-domains and tracking libraries. I think this is perfectly in
line with Emily's quote: "There's no point moving everyone to HTTPS if it
has holes everywhere, and I think now is the time to start thinking about
closing some of the holes".

The paper might be of interest to browser vendors, since the solution to
the problems reported there is not obvious, but I think the paper is
accessible to a large audience of web security practitioners. Please find
it attached, any comment or feedback would be welcome, also via personal
channels. Regards.

*Stefano Calzavara*
Assistant professor
Università Ca' Foscari Venezia

Received on Friday, 12 April 2019 07:24:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:06 UTC