Historical Analyses of the Client-Side Web Security and How to tell people they have an issue

Apr 6, 2017 12:00 AM

Who: room EDIT 8103\
When: 9:30-10:30{{ page.date | date_to_long_string }}\
Where: room EDIT 8103 \
Title: {{ page.title }}

In this talk, I will present two lines of research I am currently pursuing. On the one hand, my work focusses on client-side Web security. To better understand how the eco system evolved, we conducted a historical study of the last 20 years of the Web using data from the Internet Archive. Given that the Archive stores all client-side code as well as relevant header information, this enabled us to analyze trends over the last years, which allow us to draw conclusions on how future security mechanisms should be implemented.

On the other hand, while as a community we have become very good at discovering vulnerabilities at scale (regardless of Web or network level flaws), informing the affected parties about the issues has only been treated as a side note in previous research. To understand how such notifications can be conducted at scale, we conducted an experiment in which we notified more than 44,000 vulnerable domains, using different communication channels. Our work shows that reaching administrators is the biggest roadblock to a successful notification. In my talk, I will also discuss some of the technical and human challenges we face when notifying at scale, moreover highlighting which of these areas require further research.

Previous Talks

{: .t60 } {% include list-posts tag=‘csstalk’%}