Overview
Explore the usage, effectiveness, and adequacy of SameSite cookies in this 17-minute IEEE conference talk. Delve into the adoption of SameSite policies, functionality breakage, and potential threats such as CSRF attacks through state-changing GET and POST requests. Examine new threats like policy downgrades and the adequacy of Lax mode. Gain insights into browser inconsistencies and web framework implementations. Understand the current state of SameSite cookies and their impact on web security through comprehensive analysis and research findings presented by experts from CISPA Helmholtz Center for Information Security.
Syllabus
Intro
SameSite Cookies
Problem Statement
Adoption of SameSite Policies
Functionality Breakage
Threat: CSRF by Replaying State-changing GET
Threat: CSRF by Forging State-changing POST
New Threats: Policy Downgrades
RQ3: Lax Adequacy and Threats to Effectiveness
Browser Inconsistencies and Web Frameworks
Conclusion
Taught by
IEEE Symposium on Security and Privacy