Securing the open web platform

One of the Web’s greatest strengths is its generality, its openness to new links and unexpected uses. Openness also means that different applications and users have different security goals and threat models. A mash-up that’s desired by one may be dangerous to another. As stewards of the Open Web Platform, W3C aims to accommodate these different needs through modular components, including work on user security and authentication, cooperative policy enforcement, and platform-level reviews. I’ll talk about what’s done, what’s in progress, and where we’re looking next to support an environment for trustworthy application development. Among the topics of current work, I will share updates on: WebCrypto and Authentication: can we kill the password yet? WebAppSec CSP and more: cooperative policy enforcement in the browser HTTPS upgrade: making it easier for Web apps to go secure Security and Privacy Considerations: building security in to specs and their implementations We’ll also talk about broader patterns. While we can’t guarantee the security of “the Web” as an application platform, we can make it easier for authors to write secure Web apps, and for users to distinguish those they trust. Can we take the hard-earned lessons of Web security to other environments that are opening, such as the burgeoning universe of connected things and cars? Can we get both security and space for innovation?