XS-Leaks Summit 2021: November 10-11 from Artur Janc on 2021-11-05 (public-webappsec@w3.org from November 2021)

From: Artur Janc <aaj@google.com>
Date: Fri, 5 Nov 2021 15:42:22 +0100
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Bartosz Niemczura <niemczura@fb.com>, Mike West <mkwst@google.com>
Message-ID: <CAPYVjqorz2mMP8y5yR2WWkcck_8atnWSk=rDiWTSh9T7YbtQ0g@mail.gmail.com>

Hey everyone,

Similarly as in previous years, +Bartosz Niemczura and +Mike West have put
together an upcoming edition of the XS-Leaks summit, an event to discuss
attacks and defenses against various kinds of cross-origin information
disclosure bugs.

The event is virtual (Zoom call), split into two days (~2.5 hours each
day). Here's the tentative schedule:

Day 1: Wednesday, Nov 10, 8am PT

Agenda:

   1.

   Welcome + introductions (15min)
   2.

   Session: New attack vectors (~60min)


   -

   xsinator.com demo (15min)
   -

   Unaddressed XS-Leaks (15min)
   -

   Remaining :visited attacks (15min)
   -

   Exploration of XS-Leaks attack vectors (5min)


   1.

   Session: Updates from browser vendors (~30min)
   1.

      Chrome updates
      2.

      Mozilla updates
      2.

   Session: Deployments of XS-Leak protections (~40 min)


   -

   Deploying XS-Leaks protections at Google
   -

   Deploying XS-Leaks protections at Facebook (COOP, CORP)


Day 2: Thursday, Nov 11, 8am PT

Agenda: Brainstorming of various XS-Leaks issues. Possible topics that have
come up include:

   -

   “New attack vectors” brainstorming - continuation from day 1
   -

   “Which XS-Leaks are left unaddressed”
   -

   Are current protections good enough? (CORP, COEP, COOP, Fetch Metadata,
   SameSite cookies, partitioned cache bypasses)
   -

   Ideas for rolling out COEP at scale (HTTP status code for COEP reporting)
   -

   Issues related to browser extensions
   -

   Partitioning :visited status by site/origin
   -

   Attacks due to host connection exhaustion
   -

   Side channels to measure render times and inferring information from that

If you're on this list, you may be interested in this area. If so, please
send an email to +Bartosz Niemczura (niemczura@fb.com) or me if you’d like
to receive an invitation and feel free to forward this to other folks who
care about web security.

A huge thank you to Bartosz for organizing!

Cheers,

-Artur

PS. If you're unfamiliar with XS-Leaks, the https://xsleaks.dev wiki is
likely a good starting point to learn more.

Received on Friday, 5 November 2021 14:42:46 UTC