Editors' note: This is part four of a four-day series examining the state and future of Web security.
The Web, for better or worse, has arguably become the equivalent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical records to financial investments.
Web-based services are supplanting traditional desktop software at a blinding pace, taking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.
Yet access to those massive and indispensable resources is generally gated by a handful of large, profit-driven corporations. Microsoft, Google, Yahoo, America Online and other leading companies have largely built the services that much of the world has come to rely on in everyday life--making them, in effect, the guardians of our most sensitive information.
Which raises an obvious question: Is that a good idea? The most disturbing answer, if history is any guide, is that we may not have much of a choice.
Podcast: Web security
The relatively new world of online applications is grappling with security issues. Is Web security where it should be? And where should it be going?
Download mp3 (9.6MB)
It's disturbing on many levels, but mostly because the industry is basically making up Web security as it goes along. As security executives from Microsoft, Google and Yahoo attest, the companies are in many cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn't.
"Data is now available online, all the time," said Billy Hoffman, lead researcher at Web security specialist SPI Dynamics. "It's a great big target."
Hoffman's job is to understand where Web security breaks down. The way he sees it, the Big Three Web properties are doing a fairly good job with security, at least on the server end of the equation. The wild card is what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users' desktops.
Since 1999, more than 90 percent of all documents have been produced digitally; more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billion e-mail messages are sent daily, according to computer services firm CSC and other sources. As the data piles up, it becomes harder to secure bits flowing between servers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneously, attacks are on the rise.
The bottom line is that we're entering unexplored territory where an unprecedented number of people depend on a growing number of relatively new applications, some built with still-evolving technologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and networks worldwide. Against this daunting backdrop--and amid concerns over corporate control--calls for some kind of independent oversight are inevitable.
"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."
Even some executives at the companies that now control the bulk of Web security say more industry cooperation is needed.
"Security is in the best interest of the whole industry," said Arturo Bejar, the "Chief Paranoid Yahoo." "We're evaluating ways to share either knowledge or tools to give back to the community."
A seemingly obvious course to pursue, short of government intervention, would be some form of industry-wide cooperation ostensibly designed to avoid the development of a monopoly or cartel. That approach, though, is easier said than done: it's been tried many times before with other digital technologies, only to end up in disarray or under the de facto control of a principal stakeholder or group of interested parties.
In a word, think Windows. More than a decade of litigation and untold millions in taxpayer money has done little to loosen Microsoft's control over the operating system that more than 90 percent of the world's personal computer users rely on daily.
In the early days of the Web, a nonprofit agency called the World Wide Web Consortium was born of the altruistic notion that all interested parties could cooperate and compromise as needed for the good of the medium. The so-called W3C has done much good in defining Web standards where none existed and by serving as a trusted authority in the Internet's Wild West beginnings. At the same time, much of the W3C's activity is focused on standards defined by the very companies that in many instances most benefit from their creation.
The W3C probably isn't the right organization to be charged with Web security oversight anyway because it essentially defines tools used by others. Security breaches usually involve how those technologies are used, not necessarily the tools themselves.
"Standard bodies should focus on making very clear standards that set good baselines," Hoffman said. "The worst thing in the world that a standard can do is to be ambiguous, and there are a number of standards out there that are ambiguous."
Other organizations, like the Web Application Security Consortium, are attempting to define the most secure ways to develop applications. In addition, Web developers throughout the industry are sharing more research and security "best practices" through sites like XSSed.org, which publishes information on new cross-site scripting vulnerabilities and how to fix them.
But such efforts can go only so far. The Web giants have built out their properties over the years despite security problems, and new bugs continue to arise almost daily.
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
6 commentsJoin the conversation! Add your comment