• On CBSSports.com: Mike Tyson's daughter dies in accident
News.com special report:

Wardens of the Web

Solving the Web security challenge

By Mike Ricciuti and Joris Evers
Staff writers, CNET News.com
June 28, 2007, 4:00 AM PDT

Editors' note: This is part four of a four-day series examining the state and future of Web security.

The Web, for better or worse, has arguably become the equivalent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical records to financial investments.

Web-based services are supplanting traditional desktop software at a blinding pace, taking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.

Yet access to those massive and indispensable resources is generally gated by a handful of large, profit-driven corporations. Microsoft, Google, Yahoo, America Online and other leading companies have largely built the services that much of the world has come to rely on in everyday life--making them, in effect, the guardians of our most sensitive information.

Which raises an obvious question: Is that a good idea? The most disturbing answer, if history is any guide, is that we may not have much of a choice.

Listen up

Podcast: Web security
The relatively new world of online applications is grappling with security issues. Is Web security where it should be? And where should it be going?


Download mp3 (9.6MB)

It's disturbing on many levels, but mostly because the industry is basically making up Web security as it goes along. As security executives from Microsoft, Google and Yahoo attest, the companies are in many cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn't.

"Data is now available online, all the time," said Billy Hoffman, lead researcher at Web security specialist SPI Dynamics. "It's a great big target."

Hoffman's job is to understand where Web security breaks down. The way he sees it, the Big Three Web properties are doing a fairly good job with security, at least on the server end of the equation. The wild card is what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users' desktops.

Since 1999, more than 90 percent of all documents have been produced digitally; more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billion e-mail messages are sent daily, according to computer services firm CSC and other sources. As the data piles up, it becomes harder to secure bits flowing between servers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneously, attacks are on the rise.

The bottom line is that we're entering unexplored territory where an unprecedented number of people depend on a growing number of relatively new applications, some built with still-evolving technologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and networks worldwide. Against this daunting backdrop--and amid concerns over corporate control--calls for some kind of independent oversight are inevitable.

"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."

Even some executives at the companies that now control the bulk of Web security say more industry cooperation is needed.

"Security is in the best interest of the whole industry," said Arturo Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share either knowledge or tools to give back to the community."

A seemingly obvious course to pursue, short of government intervention, would be some form of industry-wide cooperation ostensibly designed to avoid the development of a monopoly or cartel. That approach, though, is easier said than done: it's been tried many times before with other digital technologies, only to end up in disarray or under the de facto control of a principal stakeholder or group of interested parties.

In a word, think Windows. More than a decade of litigation and untold millions in taxpayer money has done little to loosen Microsoft's control over the operating system that more than 90 percent of the world's personal computer users rely on daily.

In the early days of the Web, a nonprofit agency called the World Wide Web Consortium was born of the altruistic notion that all interested parties could cooperate and compromise as needed for the good of the medium. The so-called W3C has done much good in defining Web standards where none existed and by serving as a trusted authority in the Internet's Wild West beginnings. At the same time, much of the W3C's activity is focused on standards defined by the very companies that in many instances most benefit from their creation.

The W3C probably isn't the right organization to be charged with Web security oversight anyway because it essentially defines tools used by others. Security breaches usually involve how those technologies are used, not necessarily the tools themselves.

"Standard bodies should focus on making very clear standards that set good baselines," Hoffman said. "The worst thing in the world that a standard can do is to be ambiguous, and there are a number of standards out there that are ambiguous."

Other organizations, like the Web Application Security Consortium, are attempting to define the most secure ways to develop applications. In addition, Web developers throughout the industry are sharing more research and security "best practices" through sites like XSSed.org, which publishes information on new cross-site scripting vulnerabilities and how to fix them.

But such efforts can go only so far. The Web giants have built out their properties over the years despite security problems, and new bugs continue to arise almost daily.

Next page: Looking toward collaboration



Add a Comment (Log in or register) (7 Comments)
  • prev
  • 1
  • next
The Web is obsolete...Time for a New Slate Approach
by guyfrom2006 June 28, 2007 4:59 AM PDT
We already have ATMS, VPNs, Airline Reservation Systems, etc that do a far better job a securing information than the WEB.

That calls for a completely fresh approach towards solving data and application security of online applications.

Just because a few large companies have invested in the Web Platform does not mean users have to continue using obsolete stuff.

Move over Web, welcome the Alternative....

I see one round the corner...maybe 2008 and it called NetAlter
Reply to this comment
What Web?
by jack1260 June 28, 2007 9:24 AM PDT
Internet security is simple. Hardware reset. There is no logical software firewall. THere is a real wall called, "OFF."

The cell phone is rapidly burning permanent, read-only memory chips from the different internet software applications as we communicate (which is the original reason that Honeywell, IBM, and others created software, that is to logically conclude an application with finished hardware) and I am not sure if the world wide web will be good for much more than using cell phones and pods (designer hardware.) And the occasional laptop or desktop computer may fit in for a while, in the near future, but the thrill is gone.
Reply to this comment
totally safe is done!!!
by Steve Hirst June 28, 2007 9:46 AM PDT
Total safety and security, no need for virus nor trojan protection, no way to get cookies, spyware... no software needed. The user does nothing except surf and purchase through an in-direct portal. US Patent Number: 7,111,078 the summary is at www.notme.com
Reply to this comment
THE BOTTOM LINE
by n3td3v June 28, 2007 10:49 AM PDT
the information security director for Yahoo wants MSN and Google to share intelligence on hackers sending in information that Yahoo should be aware of, and Yahoo want MSN, Google to share bugs reported to them that may be a new unseen before attack vector that would be important for Yahoo to know. The problem is a lot of the time companies keep security information within the company if details of a hack on their network hasn't already leaked out to the media. In short, Yahoo's director of information security is paranoid that they aren't being told everything they feel they should know, even though the company Yahoo has off the record contacts within both MSN and Google, yet the information security director for Yahoo would like more official channels of intelligence setup to share information on cutting edge hacks and hacker groups alike with a vested interest in Yahoo-like websites and their applications.
Reply to this comment
security?
by paroles32 July 3, 2007 11:16 PM PDT
How can I use it to increase my Web site's security? Q7 My local network runs behind a firewall. How can I get around it to give the rest of the world
http://www.paroles32.com/paroles/lari-white/index.php
http://www.paroles32.com/paroles/led-zeppelin/index.php
Reply to this comment
How can
by parolespedia December 19, 2007 4:36 AM PST
How can I get around it to give the rest of the world
Paroles - http://www.parolespedia.com/paroles/r/ray-price/index.php
Pedia - http://www.parolespedia.com/paroles/r/roger-daltrey/index.php
Reply to this comment
(7 Comments)
  • prev
  • 1
  • next
CONTINUED: Looking toward collaboration...
Page 1 | 2
advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET