Fwd: XS-Leaks Summit 2021: November 10-11 (cross-site leaks)

Of possible interest...

Note:  a XS-Leaks (cross-site leaks) info wiki is here: https://xsleaks.dev/

---------- Forwarded message ---------
From: Artur Janc <aaj@google.com>
Date: Fri, Nov 5, 2021 at 7:44 AM
Subject: XS-Leaks Summit 2021: November 10-11
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Bartosz Niemczura <niemczura@fb.com>, Mike West <mkwst@google.com>

Hey everyone,

Similarly as in previous years, +Bartosz Niemczura and +Mike West have put
together an upcoming edition of the XS-Leaks summit, an event to discuss
attacks and defenses against various kinds of cross-origin information
disclosure bugs.

The event is virtual (Zoom call), split into two days (~2.5 hours each
day). Here's the tentative schedule:

Day 1: Wednesday, Nov 10, 8am PT



   Welcome + introductions (15min)

   Session: New attack vectors (~60min)


   xsinator.com demo (15min)

   Unaddressed XS-Leaks (15min)

   Remaining :visited attacks (15min)

   Exploration of XS-Leaks attack vectors (5min)


   Session: Updates from browser vendors (~30min)

      Chrome updates

      Mozilla updates

   Session: Deployments of XS-Leak protections (~40 min)


   Deploying XS-Leaks protections at Google

   Deploying XS-Leaks protections at Facebook (COOP, CORP)

Day 2: Thursday, Nov 11, 8am PT

Agenda: Brainstorming of various XS-Leaks issues. Possible topics that have
come up include:


   “New attack vectors” brainstorming - continuation from day 1

   “Which XS-Leaks are left unaddressed”

   Are current protections good enough? (CORP, COEP, COOP, Fetch Metadata,
   SameSite cookies, partitioned cache bypasses)

   Ideas for rolling out COEP at scale (HTTP status code for COEP reporting)

   Issues related to browser extensions

   Partitioning :visited status by site/origin

   Attacks due to host connection exhaustion

   Side channels to measure render times and inferring information from that

If you're on this list, you may be interested in this area. If so, please
send an email to +Bartosz Niemczura (niemczura@fb.com) or me if you’d like
to receive an invitation and feel free to forward this to other folks who
care about web security.

A huge thank you to Bartosz for organizing!



PS. If you're unfamiliar with XS-Leaks, the https://xsleaks.dev wiki is
likely a good starting point to learn more.

Received on Monday, 15 November 2021 19:09:34 UTC