In both Web 1.0 and Web 2.0, security models have changed along with application architectures to help unlock entirely new savings. In Web 1.0, Secure Sockets Layer (SSL) was pioneered by Netscape to provide secure communication between users’ browsers and these servers. Trusted Web 2.0 intermediaries such as Google, Microsoft, Amazon, and certificate authorities played a central role in implementing Transport Layer Security (TLS), the successor to SSL.
The same will happen for web3. This is the main reason why investing in new web3 security companies increased last year more than 10 times to more than $1 billion.
The success of web3 depends on innovation to solve new security challenges created by different application architectures. In web3, decentralized applications or “dApps” are built without relying on the traditional application logic and database layers that exist in Web 2.0; instead, a blockchain, network nodes, and smart contracts are used to manage logic and state.
Users still access a front-end, which connects to these nodes, to update data, such as publishing new content or making a purchase. These activities require users to sign transactions using their private keys, typically managed with a wallet, a model that aims to preserve user control and privacy. Transactions on the blockchain are fully transparent, publicly accessible and immutable (meaning they cannot be changed).
Like any system, this design has security tradeoffs. Blockchain does not require actors to be trusted like in Web 2.0, but making updates to address security issues is more difficult. Users can retain control over their identities, but there are no intermediaries to provide resources in case of attacks or key compromises (eg, how Web 2.0 providers can reverse stolen funds or reset passwords). Wallets can still leak sensitive information such as an Ethereum address – it’s still software, which is never perfect.
The success of web3 depends on innovation to solve new security challenges created by different application architectures.
These trade-offs rightly raise significant security concerns, but they should not stop the momentum of web3, and in practice they are unlikely to do so.
Consider the parallels with Web 1.0 and Web 2.0 again. Early versions of SSL/TLS had critical vulnerabilities. The initial security tools were rudimentary at best and have become more robust over time. Web3 security companies and projects like certificate, strength, Slitheand Protect are the equivalents of the code verification and application security testing tools that were originally developed for Web 1.0 and Web 2.0 applications.
However, in Web 2.0, a substantial part of the security model is about responsiveness. On web3, where transactions cannot be changed once executed, mechanisms must be built to verify that transactions should happen in the first place. In other words, security has to be exceptionally good at prevention.
This means that the web3 community needs to figure out the best way to technically address systemic weaknesses to prevent new attack vectors that target everything from cryptographic primitives to smart contract vulnerabilities. At the same time, there are at least four initiatives that would advance a preventive web3 security model:
Truth source data for vulnerabilities
There needs to be a source of truth for known web3 vulnerabilities and weaknesses. Today, the National Vulnerability Database provides key data for vulnerability management programs.
Web3 needs a decentralized equivalent. For now, incomplete information is scattered around places like SWC record, Report, Smart Contract Attack Vectors and DeFi Threat Matrix. Bug bounty programs, such as those run by Immune are intended to reveal new weaknesses.
Security decision-making rules
The decision-making model for critical security design choices and individual incidents on web3 is currently unknown. Decentralization means that no one owns the issues, and the ramifications for users can be significant. Examples like the recent Log4j vulnerability are cautionary stories to leave security to a decentralized community.
There needs to be greater clarity on how Decentralized Autonomous Organizations (DAOs), security experts, providers like Alchemy and infuriatesand others collaborate to manage emerging security issues. There are applicable lessons from how large open source communities shaped the OpenSSF and CNCF advisory groups and processes in place to deal with security issues.
Authentication and signature
Most dApps, including the most prominent ones, today not authenticate or sign your API responses. This means that when a user’s wallet retrieves data from these applications, there is a gap in verifying that the response comes from the intended application and that the data has not been tampered with in any way.
In a world where applications do not employ basic security best practices, it is up to users to determine their security posture and reliability, a task that is virtually impossible. At the very least, there needs to be better methods for exposing the risks to users.
Easier, user-controlled key management
Cryptographic keys support users’ ability to transact in the web3 paradigm. Cryptographic keys are also notoriously difficult to manage properly; entire businesses have been and continue to be built around key management.
The complexity and risk involved in managing private keys is the main consideration driving users to choose hosted wallets over non-custodial wallets. However, the use of hosted wallets leads to two tradeoffs: they result in new “middlemen” like Coinbase, which undermines the fully decentralized direction of the web3; and restrict users’ ability to enjoy all that web3 has to offer. Ideally, more security innovation will provide users with better usability and protection for non-custodial scenarios.
It is worth noting that the first two initiatives are more focused on people and processes, while the third and fourth initiatives will require technological changes. Getting new technologies, nascent processes, and a large number of users aligned is what makes finding web security difficult.
At the same time, one of the most encouraging changes is that web3 security innovation is happening openly, and we should never underestimate how this can lead to creative solutions.