Looks like we are among the finalists for the Best Lecture at @tu_wien Kudos to my colleagues for the collective effort! @matteo_maffei @mau_tempesta @s3br0th @310wert @bl4ck_pwn https://t.co/r2HLYyZdaU @SecPrivTUWien @CSecCenter

So if you are interested in the deployment roadblocks and strategies for Trusted Types don't forget to drop by at the User Studies VII Session on Friday!

Just arrived in Philadelphia to attend @SOUPSConference, present our work at @USENIXSecurity, and see some new and familiar faces! #soups24 #usesec24

Conformal Prediction for predicting and prioritizing anti-cancer drug responses. 'Reliable anti-cancer drug sensitivity prediction and prioritization' Nature paper . #conformalprediction

With the identified roadblocks and possible improvement suggestions for the mechanism, we hope to ease the deployment of Trusted Types for Web developers such that we might gain a mechanism that is both easy to use and secure! (follow-up work in progress)

The biggest roadblock seems to be the sanitization of JavaScript as there is (currently) no proper way of doing so. Many ideas from the participants are bypassable. The only secure but hard-to-maintain solution would be hashes, but WebCrypto is not available in sync. contexts.

For script URLs, developers tend to use RegEx or allow-lists, which are often bypassable through JSONP or Open Redirects. Those attacks were, however, the original attack scenario for this sanitizer.

Together with 13 participants, we have seen that HTML sanitization should be done with existing sanitizers. However, this is not always working as those remove all existing JS in the HTML, which can interfere with third-party functionality.

Will Trusted Types end up like CSP? In our new @USENIXSecurity paper, we conducted a study to uncover roadblocks and deployment strategies of Trusted Types. Read our preprint here: https://t.co/D255YvoZgU CC: @_lgroeber @cathykxx @kcotsneb @CISPA @SecPrivTUWien

It was one of the most informative and entertaining projects I ever had the opportunity to be part of. If you want to learn more about ethical and legal implications of server-side scans, read this. And if you ever get the chance to work with @fh4ntke, seize it!

Can server-side scanning research be legal and ethical? For our upcoming @IEEESSP paper "Where are the red lines?" we talked to experts on law and ethics, and web operators. We discussed challenges, solutions and various fictional research scenarios. https://t.co/cTjFfiVRRl

The next highlight at #RuhrSec 2023 ✨ "You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection" by @s3br0th and @kcotsneb. Conference program, more information and details on our website: 🌐  https://t.co/sUEG9mxozf #itsecurity #itsicherheit

Hey 👋 Are you responsible for a website as an operator, CISO, ..? What do you think about researchers hacking your website - OK or a no-go? Help us make security research more beneficial for operators! Learn more and sign up for an interview at https://t.co/UwUH9E8AMf. Retweet🙏

Is your web site protection consistent? Join @s3br0th and @kcotsneb on their latest research journey. RuhrSec Ticketshop 👉 https://t.co/LiC7f1AIeq 🌐 https://t.co/sUEG9mxozf #itsecurity #itsicherheit #conference #cybersecurity #securityconference #ITtalk #IT #ITCompanies

Just arrived in Boston. Looking forward to my first ever @SOUPSConference, my talk at @USENIXSecurity, and to see some new and some familiar faces! #soups2022 #usenix2022

You are a Web developer, want to learn something new, and get 50€? We are conducting a study to understand the challenges of deploying a mechanism to defend against client-side XSS. So, if you are interested, please visit https://t.co/8KphJfFqAd and/or share this invitation.

This security lottery does not only affect the security of end-users because attackers might choose only to attack the vulnerable population, or they succeed by pure chance due to randomness; it also sheds light on measurement inaccuracies that this randomness can cause.

With our analysis, we not only found Web applications that responded with seemingly random levels of protection, but we also have seen cases where we could deterministically get less protection based on our geolocation, language setting, or the browser that we used.

Ever wondered if all clients get the same level of security? In our newest @USENIXSecurity paper, we discovered that sometimes the configuration of security headers depends on client characteristics. Read it here: https://t.co/tDIFqJP5O7 CC: @stecalzavara @kcotsneb @CISPA