Web Security : a snapshot from W3C


For the past few months the web has been in the headlines for bad reasons (but also for good reasons such as its 25th anniversary). The bad side pointed out a regular basis concerns broken servers, denial of service attacks, leaking connected-apps, massive internet monitoring… Everyone’s wondering what are we doing so wrong? Well. First, people have to eat, so business does go on. But once given food, and this is the good news, people are talking about security problems. Realizing they must change something. Alone. Together. Against. But they must move. And organizations such as the W3C are fostering those discussions. People exchange views, make alliances, start thinking about solutions. After all, this is what standardization bodies like the W3C are made for. Find collective solutions, serve both business and social interests. Let me share with you few interesting evolutions:

* Strong web apps, strong internet

Prior to the last IETF meeting, the STRINT workshop took place, the tag line of which was ‘strengthening the internet against pervasive monitoring’. From both W3C and the IETF, attendees discussed how to bind the existing internet specs to make them stronger, but also discussed new features to think about, to avoid facing more governmental invasion in the internet flow. While waiting for the report, one can read the minutes.

* Safe payment

In March, the Palais Brongniart in Paris will welcome 100 people to chat about easy and safe integration of payment means in web services. Attendees of the W3C Web Payment Workshop are expected to represent the large eco-system of payement, from transaction processing actors, to banks, as well as service providers, browser makers and device manufacturers. I will be moderating a panel related to security and will definitely keep you informed about the findings.

* User authentication

FIDO Alliance, a consortium gathering Paypal, Google, MasterCard, Microsoft and other smaller players issued recently a set of specifications, describing a solution allowing seamless and secure user on-line authentication. A portion of the technology is named U2F, and is describing a second factor authentication relying on a USB token. FIDO offered W3C Web Crypto – which I chair – to endorse that feature in our roadmap. This will give us some interesting pieces to discuss.

* More security in the open web platform

As a follow up on discussions happening in various W3C working groups, interest group or with members, W3C is also thinking about organizing a whorkshop to discuss how web apps could benefit from more secure services. That event, which I have been dreaming for a long time, will be a good place to gather all the actors interested in security. It should be somewhere in 2014, probably in fall, or so.

* And also…

2013 has been also a great year for the security nerds, and thanks to their energy and dedication, W3C has now several specifications, it can be proud of, such as Cross Origin Ressource Sharing recommendation , Sub-resource integrity working draft, Web Crypto API working draft (but soon ready for last call).

All those topics are also discussed in the W3C Web Security Interest Group, open to non-W3C members, that I am co-chairing. If you wanna help do not hesitate to submit papers to the various W3C workshops, read specs, ask questions to chairs and staff contacts, raise bugs, and … attend Web Security IG call (everyone is invited)…


Other post related to security on that blog : https://poulpita.com/tag/security/

Photo credit: (nz)dave via photopin cc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s