Foundations of Web Security Ben Stock

Dear all,

I have received the evaluation for the lecture. Could you please fill out https://qualis.uni-saarland.de/eva/?l=136465&p=540826. Since we do not really have a tutorial, please leave any feedback for both the lecture and the exercises in this one link.

Also as a reminder: the gameserver offers to store feedback for challenges you have solved. Leaving that feedback helps us to identify shortcomings in exercise descriptions for the next year, so we appreciate. Finally, we are always happy to receive anonymous feedback through the CMS or directly via email or Mattermost (many of you already noted certain typos and bugs, thanks for that!).

As part of CISPA's Distinguished Lecture Series, we will have a virtual visit from Nick Nikiforakis next week (Tuesday 3pm). Nick has been doing Web security research for a long time and is one of the most cited authors in this area. If you want to attend the talk, you can either join virtually (see https://cispa.de/en/news-and-events/distinguished-lecture-series/lectures/nikiforakis for the details and Zoom link) or physically in the lecture hall where we will stream the lecture. 

His talk will cover Web aspects in particular of mobile browsers, which we somewhat omit in the lecture. For more information, see the abstract below:

Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features. In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks.

Seems like the Internet issues has been fixed. Since the issues were related to a power failure Saturday morning, all servers were restarted. Your VMs are being restarted at the moment, but that could still take an hour or so for all of them to come up. All jeopardies, team0 and Gitlab are back up. Mattermost is still offline, since that is a different server. I'm guessing it will be back soon (tm) 

As one of you already noticed, currently gameserver, mattermost, and all challenges are offline. This is because of an unknown issue with the network uplink between UdS and CISPA. This failed on Friday to Saturday night and I have no idea when it will be online again. Sorry for the inconvenience, I hope to have this fixed sooner rather than later.

Hi all,

unfortunately, we found that some students copied in solutions from one challenge to others. Further, some people also used test accounts (test/test) to solve a challenge, which others then also used and found the readily available flags. Since we give points for solving challenges instead of merely finding flags, I have updated the database for a number of students who had quite obviously not done the exercises themselves. This also involves students that had solutions which were surprising similar to those of fellow participants or are copies of prior years' solutions. Should you be affected by this (your solution is flagged as solved after the deadline) and disagree with my above assumption, let me know.

I would like to note again that each student must individually solve the exercises. Failing to do so may be grounds for not being admitted to the exam. Please see this as the final warning to anyone. If you found a flag which was (accidentally?) left there by others, please inform us right away so we can reset the challenge. If you only noticed it after submitting, we can reset the solved challenge for you and you can properly solve it. 

Hi,

As a reminder: Tomorrow, the lecture will not be a content lecture but a solutions explanation, where I will present you our solutions for the first nine jeopardy challenges. If time permits, we will also discuss some screecher challenges.

Given that I just came back from a business trip on a fully booked flight, we will make this session fully virtual such that everybody stays safe.

See you in Zoom tomorrow,
Sebastian

Next week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which have been released to date are due by June 1.

Hi all,

I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom.  Please see below for details.

https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09

Title: Towards improving the science of web security

Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research.

Bio: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.

Hope to see you there (in person or remote)

Hi all,

If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example). Otherwise our checkers will not like you :-)

Hi, 

First of all, sorry for the technical issues during today's lecture.

In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore.
So hopefully, we will not face any disconnects in the next lecture.

Regarding the technical issues of the Gameserver and the Infrastructure: 
We have found (and fixed) the issues. So everything should work now.
Notably, we needed to generate new Basic Auth credentials, Leak secrets, as well as new SSH keys. 
Thus, you need to re-download those because the old keys are not working anymore. Sorry for that inconvenience.

We have already uploaded the InfrastructureHowTo slides to the CMS. However, the recording(s) need to be put together due to the disconnects and will be online soon (latest tomorrow).

In case you still face technical issues, do not hesitate to write me on Mattermost (or via Email). 

Sorry again for the issues, kind regards,
Sebastian

Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held online. Further, all lectures, even if in-person, will be offered in a hybrid format, i.e., will be streamed through Zoom as well. For the details of how to access the Zoom call, see the respective section in the information section. 

We will provide more updates regarding in-person lectures. Note that for the foreseeable future, CISPA will mandate masks be worn in our building. Hence, even if UdS does not require masks, they will be required when you attend the in-person lecture in the CISPA building.