W3C to Workshop Web Security

Dissatisfied with the way the current security methods that protect people using the Internet, the World Wide Web Consortium (W3C) will conduct a two-day
workshop to discuss better options.

The W3C is calling for position papers on Web authentication, the process of
verifying that a Web user is really who he or she claims to be, from Web
security experts, software developers, browser manufacturers, and even their
customers.

The papers will be presented at a workshop, scheduled to hit New York City March 15 and 16, which is expected to focus on ways browser vendors and e-commerce service providers can work
together to improve security.

The W3C argued that the Web must be a safer place where users can do anything from basic browsing to complex transactions.

“Gaps in practical security on the Web make all users easy targets for
fraud. Despite broad availability of security technologies, the Web
community (browser developers, Web site operators, users) lack agreement on
how to help avoid the most basic types of fraud,” the W3C said.

Standards bodies have specifications and standards to keep Web users from
conducting fraudulent Web services transactions.

For example, the Liberty
Alliance and OASIS have created federation protocols to allow companies to
safely conduct business over the Web.

But no one has really addressed the Web’s security foundation, which is
where vulnerabilities start, W3C spokesperson Janet Daly said. Web security
today depends on Transport Layer Security (TLS), an IETF protocol that is
wrapped around HTTP transactions to authenticate endpoints and
ensure private communications.

Current perpetrators get around the technically solid TLS security layer
because the protocol implementations don’t let users know what kind of
security is in place, and with whom they are communicating.

So attackers
can bypass these security mechanisms without users noticing.

With unassuming Web users unable to tell whether a Web site is really what it
claims to be, phishers can trick users into
submitting their personal information, such as credit cards and other vital
information, to steal money.

Phishing has been something of an epidemic since 2003.

The Federal Trade Commission (FTC) levied
Internet fraud charges against a 17-year-old male in 2003, the first law
enforcement action against phishing.

The FTC also said
online scammers robbed Americans of more than $437 million in 2003, mostly
using phishing attacks.

And it’s not stopping. According to recent statistics from Antiphishing.org,
there were 15,820 new reports of phishing scams in October 2005, and
consumers reported 4,367 new phishing sites.

The W3C believes a workshop about this dicey issue will get the innovation
ball rolling.

The workshop committee includes members from tech luminaries, such as
America Online, Apple Computer, Microsoft, Mozilla, Sun Microsystems, Opera,
and VeriSign. Several colleges, such as Columbia University and New York
University, are also partaking in the event.