RealTime IT News

W3C to Workshop Web Security

Dissatisfied with the way the current security methods that protect people using the Internet, the World Wide Web Consortium (W3C) will conduct a two-day workshop to discuss better options.

The W3C is calling for position papers on Web authentication, the process of verifying that a Web user is really who he or she claims to be, from Web security experts, software developers, browser manufacturers, and even their customers.

The papers will be presented at a workshop, scheduled to hit New York City March 15 and 16, which is expected to focus on ways browser vendors and e-commerce service providers can work together to improve security.

The W3C argued that the Web must be a safer place where users can do anything from basic browsing to complex transactions.

"Gaps in practical security on the Web make all users easy targets for fraud. Despite broad availability of security technologies, the Web community (browser developers, Web site operators, users) lack agreement on how to help avoid the most basic types of fraud," the W3C said.

Standards bodies have specifications and standards to keep Web users from conducting fraudulent Web services transactions.

For example, the Liberty Alliance and OASIS have created federation protocols to allow companies to safely conduct business over the Web.

But no one has really addressed the Web's security foundation, which is where vulnerabilities start, W3C spokesperson Janet Daly said. Web security today depends on Transport Layer Security (TLS), an IETF protocol that is wrapped around HTTP transactions to authenticate endpoints and ensure private communications.

Current perpetrators get around the technically solid TLS security layer because the protocol implementations don't let users know what kind of security is in place, and with whom they are communicating.

So attackers can bypass these security mechanisms without users noticing.

With unassuming Web users unable to tell whether a Web site is really what it claims to be, phishers can trick users into submitting their personal information, such as credit cards and other vital information, to steal money.

Phishing has been something of an epidemic since 2003.

The Federal Trade Commission (FTC) levied Internet fraud charges against a 17-year-old male in 2003, the first law enforcement action against phishing.

The FTC also said online scammers robbed Americans of more than $437 million in 2003, mostly using phishing attacks.

And it's not stopping. According to recent statistics from Antiphishing.org, there were 15,820 new reports of phishing scams in October 2005, and consumers reported 4,367 new phishing sites.

The W3C believes a workshop about this dicey issue will get the innovation ball rolling.

The workshop committee includes members from tech luminaries, such as America Online, Apple Computer, Microsoft, Mozilla, Sun Microsystems, Opera, and VeriSign. Several colleges, such as Columbia University and New York University, are also partaking in the event.