Web Security Roadmap available

The European Web Security Roadmap is the final deliverable of the STREWS project. It is the result of three years of work, including workshops and case studies. It contains an extensive overview of current practice, research and standardisation, as well as the gaps between them.


The document thoroughly assesses the current state of web application security in respect to state-of-the-practice, state-of-the-art, research, and standardisation, with special attention to the European aspect. Using the collected data, it then defines a near to mid-term research roadmap for Web security.

It collects areas of Web security which are still underdeveloped, identifies missing pieces in the research landscape, and points out promising directions for future research. In addition, it explores connections between research and standardisation, as well as existing mismatches in that area.

This way, the document provides the big picture on the field of Web security research and it will aid the decision-making process, when it comes to creating new research/standardisation actives and future research projects and work programs.

The document has two parts:

Part I

Part I defines a systematic methodology for data collection and analysis. The methodology is based on five well-defined objectives, directly derived from the STREWS mission statement:

  1. Identify significant gaps between the state-of-the-practice and current research results.
  2. Identify mismatches between standardisation & research activities and the needs of the Web’s practitioners.
  3. Identify the emerging topics and future hot spots of Web security.
  4. Map standardisation and research efforts to the observed emerging topics in Web security. Identify topics that require further attention.
  5. Obtain current information on the state of European research in the field of Web security.

A total of ten distinct data sources were selected:

  • The State-of-the-Practice in today’s Web software
  • Selected empirical studies
  • Observable gaps between the State-of-the-Art and the State-of-the-Practice
  • Interactive survey
  • Review of related NoE and Policy activities
  • STREWS Workshops
  • Standardisation activities
  • STREWS Case Study 1: WebRTC
  • STREWS Case Study 2: Web Security Architecture
  • Cybersecurity

Part II

Each of the data sources is explored in depth in Par  II. The sum of the collected reports provides a comprehensive overview on the current state of web application security and web application security research.

In a second step, the document identifies and explores the emerging and hot topics in web security that require future attention from research, practice and standardisation, namely:

  • client-side complexity,
  • JavaScript sandboxing,
  • server-driven security policies,
  • JavaScript crypto and hardware tokens,
  • the end of the client-server paradigm,
  • Web privacy, and
  • advancing Web authentication and session tracking.

Finally, the collected insight pinpoints the upcoming security research challenges for the European Web:

  • Challenge 1: Revisiting classic attacks
  • Challenge 2: Handling the extending web paradigm
  • Challenge 3: Realizing real end-to-end security
  • Challenge 4: Increasing End-user Security and Privacy

The combination of the identified emerging topics and the overarching research challenges results in an exiting and promising research roadmap for the mid to long term. We expect, that following this roadmap will lead to impactful results, which address the future security problems of the Web, while being well suited to be adopted by practitioners and standardisation.

Case Study: Web Security Architecture

STREWS published its Second Case Study on Web Security Architecture:


Case study 2 Report: Web Security Architecture [PDF]

The Open Web Platform is already transforming the Web again. More functionality on the Web increases the attacking surface. From a document driven Web, we are heading towards an action-driven Web. This also includes the availability of higher value services on the Web. Must Online banking remain dumb? Or can we secure the new applications using HTML5 and all the features and potential it brings?

In a first study of STREWS resulted in D.1.1, the Web-platform security guide. STREWS gave an overview of the assets of the Web an attacker could target and the state of the art of attack and defense. This first study had a very formal approach. This scientific rigour was then applied in a first case study on Web Real Time Communications (WebRTC) resulting in D1.2 Case Study: Security Assessment of WebRTC

This is now the second case study. STREWS has done a deep dive into the toolbox available to Web developers today. First by putting the security tools developed by the IETF and the W3C in context. From there, the study is suggesting new ways to address remaining black spots for Web Security and finally addresses new ways to counter the ever increasing number of cross-site scripting attacks.

The study gives an overview of current development in the Web security area in the IETF and the W3C with pointers for further reading. It then suggests new ways of addressing security issues by exploring cutting edge research findings to be taken into account. Secure sessions and javascript sandboxing can help a lot to make the Web a better place. The case study describes and evaluates those new tools.

Until today, XSS is a serious and widespread security issue. The study has chosen to consolidate the existing knowledge on Cross-Site Scripting. The objective is to systematically review existing works and literature in order to present a comprehensive overview of this research field. On this basis, the study is able to identify open problems and potential research topics that still need to be addressed.

First draft of STRINT workshop report available

The first draft of the STRINT workshop report was published by the IETF as the Internet Draft draft-iab-strint-report-00. The same text is also available, with different formatting, from the STRINT Web site as draft-iab-strint-report.html.

[Overview photo taken from the left side of the room.]
Co-chair Stephen Farrell summarizes the points on the projection screen during the concluding plenary session.

D1.2 Case Study: Security Assessment of WebRTC

STREWS published its first Security Case Study on WebRTC: 


Case study 1 Report: WebRTC [PDF]

Erratum (until updated publication):

In Section 3.2 the WebRTC report notes that:

But unlike in Chrome, all permissions are only for the duration of the session, that is, until the browser closes. There is no way to revoke a permission, except by closing the browser.

Please note that those assertions were made while testing Firefox 28. In that version, the permissions are destroyed when navigating to the next page or closing the window, not just when closing the browser. In Firefox 33, the browser and especially its interface have evolved. We will update the text accordingly, once we have verified the current behavior


Built-in handling of Real Time Media (audio, video) on the web promises potentially significant change in telephony and in conference calling. The W3C WebRTC and IETF rtcweb working groups are developing the set of specifications that will allow browsers and web sites to support such calling and other functions. This is clearly a potentially security sensitive extension to the web, so STREWS has devoted effort on this topic as a case study to both attempt to improve the overall security of the result and to see if this approach holds promise as a way to improve interactions between researchers and standards makers and hence the overall security of the web. In this deliverable, we show some possibly new issues with WebRTC security discovered by researchers (from SAP) that the standards makers may not have considered. However, while this deliverable is, as a deliverable, final, the work itself goes on, partly involving discussions between the STREWS project and participants in the IETF and W3C so in technical terms this remains a work-in-progress.

STRINT workshop papers published

The first version of the agenda and the list of submitted papers of the STRINT workshop were published today. The agenda has seven sessions, three on Friday and the rest on Saturday:

  1. Threats,
  2. COMSEC (part 1),
  3. Policy,
  4. COMSEC (part 2),
  5. Metadata,
  6. Deployment, and
  7. Break-out sessions

There are 66 papers. Together they give an overview of current thinking about the security threats from pervasive monitoring and a first set of ideas towards developing countermeasures.