Fwd: XS-Leaks Summit 2021: November 10-11 (cross-site leaks) from Jeff Hodges on 2021-11-15 (public-webauthn@w3.org from November 2021)

From: Jeff Hodges <jdhodges@google.com>
Date: Mon, 15 Nov 2021 11:08:44 -0800
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAOt3QXuDiomdKdTRhygqDurSfcdHFf7pXQEomnfRswxmsCzvSQ@mail.gmail.com>

Of possible interest...

Note:  a XS-Leaks (cross-site leaks) info wiki is here: https://xsleaks.dev/

---------- Forwarded message ---------
From: Artur Janc <aaj@google.com>
Date: Fri, Nov 5, 2021 at 7:44 AM
Subject: XS-Leaks Summit 2021: November 10-11
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Bartosz Niemczura <niemczura@fb.com>, Mike West <mkwst@google.com>

Hey everyone,

Similarly as in previous years, +Bartosz Niemczura and +Mike West have put
together an upcoming edition of the XS-Leaks summit, an event to discuss
attacks and defenses against various kinds of cross-origin information
disclosure bugs.

The event is virtual (Zoom call), split into two days (~2.5 hours each
day). Here's the tentative schedule:

Day 1: Wednesday, Nov 10, 8am PT

Agenda:

   1.

   Welcome + introductions (15min)
   2.

   Session: New attack vectors (~60min)

   -

   xsinator.com demo (15min)
   -

   Unaddressed XS-Leaks (15min)
   -

   Remaining :visited attacks (15min)
   -

   Exploration of XS-Leaks attack vectors (5min)

   1.

   Session: Updates from browser vendors (~30min)
   1.

      Chrome updates
      2.

      Mozilla updates
      2.

   Session: Deployments of XS-Leak protections (~40 min)

   -

   Deploying XS-Leaks protections at Google
   -

   Deploying XS-Leaks protections at Facebook (COOP, CORP)

Day 2: Thursday, Nov 11, 8am PT

Agenda: Brainstorming of various XS-Leaks issues. Possible topics that have
come up include:

   -

   “New attack vectors” brainstorming - continuation from day 1
   -

   “Which XS-Leaks are left unaddressed”
   -

   Are current protections good enough? (CORP, COEP, COOP, Fetch Metadata,
   SameSite cookies, partitioned cache bypasses)
   -

   Ideas for rolling out COEP at scale (HTTP status code for COEP reporting)
   -

   Issues related to browser extensions
   -

   Partitioning :visited status by site/origin
   -

   Attacks due to host connection exhaustion
   -

   Side channels to measure render times and inferring information from that

If you're on this list, you may be interested in this area. If so, please
send an email to +Bartosz Niemczura (niemczura@fb.com) or me if you’d like
to receive an invitation and feel free to forward this to other folks who
care about web security.

A huge thank you to Bartosz for organizing!

Cheers,

-Artur

PS. If you're unfamiliar with XS-Leaks, the https://xsleaks.dev wiki is
likely a good starting point to learn more.

Received on Monday, 15 November 2021 19:09:34 UTC