How has the security of websites and web applications evolved over the years?
Since the proliferation of cloud apps has taken an increasing share of daily workload off your computer and moved it to the browser, the need for more browser security naturally has followed. Whereas ten years ago the browser largely rendered pictures and interacted with data behind the scenes, now it is expected to work like a full-fledged GUI you used to find on programs installed on your laptop.
How about the evolution of web-borne attacks so far?
Since the proliferation of popular, but vulnerable, web frameworks, built to ease website construction, scammers have a new class of attack platform to exploit. Once a web framework, like WordPress, Joomla, or Drupal have been exploited, users can be tricked into following phishing links which seem more legitimate since they appear to be coming from reputable (but hacked) websites. Web frameworks now number in the tens of millions, so there are plenty of targets to choose from.
Browser-based attacks are effective and popular. What are the main security issues for web browsers?
Since browsers are trying to take over the workload of a desktop, they run a kind of “sandbox” to do the heavy computational lifting, which shouldn’t leak data, but this can be challenging in practice. Add to this the proliferation of popular add-ons to extend browser functionality, and the potential attack surface grows rapidly. Also, while your particular browser vendor may provide security for its core functionality, it is difficult to expect them to provide adequate levels of security for third party features added by the user later.
What would make browsers less inviting targets and/or conduits for attacks?
Better security, which will be challenging with the limited resources available in the browser. And if you make browsers more powerful, they might be able to do more damage to your computer. As the attack surface grows, so also does the ability to try new exploits.
What are your recommendations for making one’s browsing more secure?
Less is more, especially when it comes to adding on new features to the core browser. Just like installing too many programs on a laptop can cause issues, browsers get overloaded and break, or get hacked.
Since many common attacks at web users, such as “in-the-middle” attacks, have to do with faulty authentication, what would make user authentication safer?
Multi-factor authentication, hopefully the kind that’s easy to use. If we had got the ease-of-use down years ago, we’d all be using it exclusively. We can nitpick which kinds after we all have at least something more than one.
How will the ongoing strong drive for universal HTTPS adoption as led by Google, Mozilla and others help?
It will become more difficult to trick users into visiting sites they didn’t intend to, and hide traffic from prying eyes in the middle.
What are your expectations for the Web, say, 10 years from now?
Browsers will be provided to you as bite-sized modular builds with only the stripped down functionality you actually use. How will the browsers know what to build? They’ll have ten more years to learn your habits, and since artificial intelligence (AI) will be baked in, it will be very good at the task, maybe better than you.
How about the place of security in the Web 3.0 with its many monikers such as omnipresent, thinking, semantic, the web of data, etc.?
As long as there are things of greater value than the cost to steal them, stealing will continue. There’s never been a technology that has stopped this, including the next piece of technology coming out, whatever it’s called. From an attacker perspective, it will become increasingly important to steal trusted credentials to carry out an attack, since there will continue to be increased use of cryptographic security mechanisms.
What are your thoughts on the hot topics of today such as the Internet-of-Things, artificial intelligence, blockchain … ?
While they definitely have compelling aspects, marketing will run as far as possible with them until consumer sensibilities rein them back in to what’s actually useful about each.
Remember when the Web was going to cure everything in the world in just a few short years? It didn’t, but eventually it cured things we hadn’t even thought about yet, like ride sharing and vacation rentals in private homes.
These new compelling technologies will eventually solve things we haven’t thought about as well, but not by the time the ink is dry on the marketing brochures proclaiming unqualified victory.
The late Stephen Hawking once stated, “the development of full artificial intelligence could spell the end of the human race”. Full AI is years off, but do you agree that the situation could be so grim?
Every promising, powerful technology brings with it prospect of uncertain doom. But here we are, still. We haven’t nuked the world into flaming mushroom clouds, but we could. The choice will continue to be ours.
AI brings with it more questions which will require some gravitas to get right. Can an AI driven car get a ticket or go to jail? What if an AI robot is racist, or acts in ways we don’t find tenable? Who should have access to a kill switch for AI devices, and when can it be used?
Still, humans will prevail, but a lot of us will be doing different jobs, or the jobs we do now with a lot more automated assistance. If we get it right the assistance will be helpful, which we hope of all new compelling technologies.
How can we prepare for the Web’s future and for security risks that emerging technologies entail? Are we “swimming in the right direction” at all?
There is a certain perpetual optimism required to be a security practitioner, although it can be difficult to spot at times. We believe in the future, with all the tools and advantages it will bring. There has always been risk with innovation, but innovation will prevail. That said, we will see digital signatures everywhere, which will be used to authenticate in a more secure way. While we’ll continue to see breaches, ubiquitous cryptography will definitely help.
Thank you, Cameron!
Now, this is far from all that our experts have to say about the story of the Web so far. Yesterday, we sat down with ESET’s Senior Research Fellow David Harley to hear his take on a similar range of topics, so be sure to give it a read, too. In addition, we’ll be back with a third – and last – installment of our interview series on Wednesday.