A hard lesson: Assessing the HTTPS deployment of Italian university websites

In this paper we carry out a systematic analysis of the state of the HTTPS deployment of the most popular Italian university websites. Our analysis focuses on three different key aspects: HTTPS adoption and activation, HTTPS certificates, and cryptographic TLS implementations. Our investigation shows that the current state of the HTTPS deployment is unsatisfactory, yet it is possible to significantly improve the level of security by working exclusively at the web application layer. We hope this observation will encourage site operators to take actions to improve the current state of protection

CookiExt: Patching the browser against session hijacking attacks

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, by presenting a mechanized proof of noninterference assessing the robustness of the HttpOnly and Secure cookie flags against both web and network attackers with the ability to perform arbitrary XSS code injection. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking, based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying these cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user's browsing experience. Finally, we report on the experiments we carried out to practically evaluate the effectiveness of our approach

The Security Lottery: Measuring Client-Side Web Security Inconsistencies

To mitigate a myriad of Web attacks, modern browsers support client-side security policies shipped through HTTP response headers. To enforce these defenses, the server needs to communicate them to the client, a seemingly straightforward process. However, users may access the same site in variegate ways, e.g., using different User-Agents, network access methods, or language settings. All these usage scenarios should enforce the same security policies, otherwise a security lottery would take place: depending on specific client characteristics, different levels of Web application security would be provided to users (inconsistencies). We formalize security guarantees provided through four popular mechanisms and apply this to measure the prevalence of inconsistencies in the security policies of top sites across different client characteristics. Based on our insights, we investigate the security implications of both deterministic and non-deterministic inconsistencies, and show how even prominent services are affected by them

Verifiable Learning for Robust Tree Ensembles

Verifying the robustness of machine learning models against evasion attacks at test time is an important research problem. Unfortunately, prior work established that this problem is NP-hard for decision tree ensembles, hence bound to be intractable for specific inputs. In this paper, we identify a restricted class of decision tree ensembles, called large-spread ensembles, which admit a security verification algorithm running in polynomial time. We then propose a new approach called verifiable learning, which advocates the training of such restricted model classes which are amenable for efficient verification. We show the benefits of this idea by designing a new training algorithm that automatically learns a large-spread decision tree ensemble from labelled data, thus enabling its security verification in polynomial time. Experimental results on public datasets confirm that large-spread ensembles trained using our algorithm can be verified in a matter of seconds, using standard commercial hardware. Moreover, large-spread ensembles are more robust than traditional ensembles against evasion attacks, at the cost of an acceptable loss of accuracy in the non-adversarial setting

Can i take your subdomain? Exploring same-site attacks in the modern web

Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention from the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including cookies, CSP, CORS, postMessage, and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications

Reining in the Web's Inconsistencies with Site Policy

Over the years, browsers have adopted an ever-increasing number of client-enforced security policies deployed through HTTP headers. Such mechanisms are fundamental for web application security, and usually deployed on a per-page basis. This, however, enables inconsistencies, as different pages within the same security boundaries (in form of origins or sites) can express conflicting security requirements. In this paper, we formalize inconsistencies for cookie security attributes, CSP, and HSTS, and then quantify the magnitude and impact of inconsistencies at scale by crawling 15,000 popular sites. We show that numerous sites endanger their own security by omission or misconfiguration of the aforementioned mechanisms, which lead to unnecessary exposure to XSS, cookie theft, and HSTS deactivation. We then use our data to analyse to which extent the recent Origin Policy proposal can fix the problem of inconsistencies. Unfortunately, we conclude that the current Origin Policy design suffers from major shortcomings which limit its practical applicability to address security inconsistencies while catering to the need of real-world sites. Based on these insights, we propose Site Policy, designed to overcome Origin Policy's shortcomings and make any insecurity explicit. We make a prototype implementation of Site Policy publicly available, along with a supporting toolchain for initial policy generation, security analysis, and test deployment

Desmoplastic Melanoma: Report of 5 Cases

Background. The clinical presentation of desmoplastic melanoma is often challenging. We report the experience of the Melanoma Unit of Spedali Civili University Hospital of Brescia, Italy. Method. Study subjects were drawn from 1770 patients with histologica confirmed melanoma. Within this group, desmoplastic melanoma developed in 5 patients. For each diagnosed melanoma, histological characteristics, treatment, and outcomes were evaluated. Results. Of the 5 patients described in this study, 2 were males and 3 females. The average age was 62.4 years ranging from 56 to 68 years. Breslow thickness ranged from 2.1 to 12 mm with a mean thickness of 5.8 mm. Primary treatment of 5 patients included a wide local excision of their primary lesions. Conclusions. Desmoplastic melanoma is a rare neoplasm which clinically may mimic other tumours or cutaneous infiltrate of uncertain significance. The diagnosis is hiastopathological and radical resection is necessary

Effects of cannabinoid drugs on the deficit of prepulse inhibition of startle in an animal model of schizophrenia: the SHR strain

Clinical and neurobiological findings suggest that the cannabinoids and the endocannabinoid system may be implicated in the pathophysiology and treatment of schizophrenia. We described that the spontaneously hypertensive rats (SHR) strain presents a schizophrenia behavioral phenotype that is specifically attenuated by antipsychotic drugs, and potentiated by proschizophrenia manipulations. Based on these findings, we have suggested this strain as an animal model of schizophrenia. the aim of this study was to evaluate the effects of cannabinoid drugs on the deficit of prepulse inhibition (PPI) of startle, the main paradigm used to study sensorimotor gating impairment related to schizophrenia, presented by the SHR strain. the following drugs were used: (1) WIN55212,2 (cannabinoid agonist), (2) rimonabant (CB1 antagonist), (3) AM404 (anandamide uptake inhibitor), and (4) cannabidiol (CBD; indirect CB1/CB2 receptor antagonist, among other effects). VVistar rats (VVRs) and SHRs were treated with vehicle (VEH) or different doses of WIN55212 (0.3, 1, or 3 mg/kg), rimonabant (0.75, 1.5, or 3 mg/kg), AM404 (1, 5, or 10 mg/kg), or CBD (15, 30, or 60 mg/kg). VEH-treated SHRs showed a decreased PPI when compared to VVRs. This PPI deficit was reversed by 1 mg/kg WIN and 30 mg/kg CBD. Conversely, 0.75 mg/kg rimonabant decreased PPI in SHR strain, whereas AM404 did not modify it. Our results reinforce the role of the endocannabinoid system in the sensorimotor gating impairment related to schizophrenia, and point to cannabinoid drugs as potential therapeutic strategies.Conselho Nacional de Desenvolvimento Científico e Tecnológico (CNPq)Fundação de Amparo à Pesquisa do Estado de São Paulo (FAPESP)Universidade Federal de São Paulo, Dept Pharmacol, BR-04039032 São Paulo, BrazilUniversidade Federal de São Paulo, Dept Psychiat, Lab Interdisciplinar Neurociencias Clin, BR-04039032 São Paulo, BrazilUniv São Paulo, Dept Neurosci & Behav, BR-14049 Ribeirao Preto, BrazilNatl Council Sci & Technol Dev, Natl Inst Sci & Technol Translat Med, Ribeirao Preto, BrazilUniversidade Federal de São Paulo, Dept Pharmacol, BR-04039032 São Paulo, BrazilUniversidade Federal de São Paulo, Dept Psychiat, Lab Interdisciplinar Neurociencias Clin, BR-04039032 São Paulo, BrazilFAPESP: FAPESP - 2010/07994-3Web of Scienc