In both Web 1.0 and Web 2.0, the security models changed to help unlock entirely new economies. In Web 1.0, Netscape was the first to use Secure Sockets Layer (SSL) to provide secure communication between users' browsers and those servers. Trusted Web 2.0 intermediaries such as Google, Microsoft, Amazon, and certificate authorities played a central role in driving the implementation of Transport Layer Security (TLS), the successor to SSL.
The same will happen with web3. This is the key reason why investing in web3 security startups increased last year more than 10 times to more than 1 billion dollars.
The success of web3 depends on innovation to solve new security challenges created by different application architectures. In web3, decentralized applications or "dApps" are built without relying on the traditional application logic and database layers that exist in Web 2.0; instead, a blockchain, network nodes, and smart contracts are used to manage logic and state.
Users still access an interface, which connects to those nodes, to update data, such as post new content or make a purchase. These activities require users to sign transactions using their private keys, usually managed with a wallet, a model that is intended to preserve user control and privacy. Transactions on the blockchain are fully transparent, publicly accessible, and immutable (meaning they cannot be changed).
Like any system, this design has security tradeoffs. Blockchain does not require actors to be trusted like in Web 2.0, but it is more difficult to make updates to address security issues. Users can retain control over their identities, but there are no intermediaries to provide recourse in the event of key attacks or compromises (eg, how Web 2.0 providers can return stolen funds or reset passwords). Wallets can still leak sensitive information like an Ethereum address – it's still software, which is never perfect.
These concessions raise significant security concerns, but they shouldn't hinder the push for web3 and, in practical terms, are unlikely to do so.
Considering again the parallels with Web 1.0 and Web 2.0. The initial versions of SSL/TLS had critical vulnerabilities. Early security tools were rudimentary at best and became more robust over time. Web3 security companies and projects like certik, strong, Slither, and secure2 they are the equivalents of the code scanning and application security testing tools that were originally developed for Web 1.0 and Web 2.0 applications.
However, in Web 2.0, a substantial part of the security model has to do with response. In web3, where transactions cannot be changed once executed, mechanisms must be built in to check if transactions, logically initiated, should occur. In other words, security has to be exceptionally good at prevention.
This means that the web3 community has to figure out the best way to technically address systemic weaknesses to prevent new lines of attack that target all sorts of variants, from crypto primitives to smart contract vulnerabilities. In parallel, there are at least four initiatives that would advance a preventive web3 security model:
Source of truth data for vulnerabilities
There has to be a source of truth for known web3 vulnerabilities and weaknesses. Today, the National Vulnerability Database provides the basic data for vulnerability management programs.
Web3 needs a decentralized equivalent. For now, incomplete information lives scattered in places like SWC Registration, Rekt, smart contract lines of attack y DeFi threats. User reward programs for detecting bugs, like the ones you run immune they are destined to bring out new weaknesses.
Security Decision Making Rules
The decision-making model for critical security design options and individual issues in web3 is currently unknown. Decentralization means no one owns problems and the ramifications for users can be significant. Examples like the recent IBM Apache Log4j vulnerability are warnings to leave security in the hands of a decentralized community.
There needs to be more clarity regarding how decentralized autonomous organizations (DAOs), security experts, vendors like Alchemy y Infuria and others collaborate to manage emerging security issues. There are applicable lessons from how large open source communities have shaped the OpenSSF, CNCF Advisory Groups and processes in place to address security issues.
Authentication and signature
Most of the dApps, including the most prominent ones, today do not authenticate or sign your responses via APIs. This means that when a user's wallet retrieves data from these applications, there is a gap in verifying that the response is coming from the intended application and that the data has not been tampered with in some way.
In a world where applications do not employ basic security best practices, users are left to determine their security and reliability posture, a task that is virtually impossible. At a minimum, there should be best methods or practices for exposing risks to users.
Simpler, user-controlled key management
Cryptographic keys support the ability of users to transact in the web3 model. Cryptographic keys are also notoriously difficult to manage properly; Entire companies have been and continue to spring up around key management.
The complexity and risk involved in private key management is the main consideration driving users to choose hosted wallets over non-custodial wallets. However, the use of hosted wallets has two implications: they give rise to new “intermediaries” such as Coinbase, which detract from the completely decentralized concept of web3; and they restrict users' ability to take advantage of all that web3 has to offer. Ideally, further innovation in security will provide users with better usability and protections for non-custodial scenarios.
It is worth noting that the first two initiatives focus more on people and processes, while the third and fourth initiatives will require technological changes. Getting new technology, new processes nascent, and a large number of users lined up is what makes it hard to figure out aspects of web3 security.
At the same time, one of the most encouraging changes is that web3 security innovation is happening in the open, and never underestimate how that can lead to creative solutions.
