Measurements, Attacks, and Defenses for the Web (MADWeb) Workshop 2020

The advent of Single Sign-On (SSO) has ushered in the era of a tightly interconnected Web. Users can now effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services. In this talk, I will present some of our research on SSO account hijacking. In this work we presented an empirical investigation of the different attacks that are facilitated (or enabled) by SSO, and highlighted the current lack of remediation mechanisms available in third parties that support SSO. I will also frame some of our findings within the seeming discrepancy between user expectations and understanding of SSO functionality, as expressed by users online after the major Facebook hack in 2018. Finally, I will discuss potential future directions and interesting questions that arise from this incident.

Advertising and content blocking is an important part of improving the privacy, performance and overall-pleasantness of the web. If you're reading this, you almost certainly have a content blocking tool installed. Popular content blocking tools rely on crowdsourced generated filter lists, and while they're demonstrably useful, they also suffer from many shortcomings: (i) they're easily circumvented, (ii) they break websites (and so are overly conservative) and (iii) rely on large numbers of users, and so do not “scale” to parts of the web with fewer users. This last shortcoming is particularly significant because people visiting non-English, non-global-language parts of the web often face higher data costs, and have lower incomes to pay for internet access.

In this talk I will present three research projects from Brave, and how we plan to improve content blocking for all web users. Brave is building the best-of-breed content blocker, both in terms of depth (i.e. blocking types of harmful behaviors other tools miss) and breath (i.e. proving high quality blocking for users under-served by existing tools).

The research projects discussed in this talk improve advertising and content blocking in three ways. First, I'll present work on identifying privacy-harming scripts, independent of the code unit they're delivered in. This approach allows us to measure how often advertisers evade existing blockers (changing URLs, mixing malicious and benign code, etc.), and to build counter measures. Second, I'll describe a ML tool for predicting whether a content blocker “breaks” a website, in the subjective evaluation of a browser user. This tool will allow Brave to block aggressively without breaking sites. Third, I'll discuss a method to programmatically generate filter lists for under-served web regions using a novel image classifier and Brave-developed system of deep browser instrumentation called PageGraph.