Web Security: shaping the secure Web

Continuing the series that puts the emphasis on the key areas that help ensure that the Web works, for everyone, this month I am diving into Web security. It is one of the key areas that we call “horizontals” and that shape every W3C work package because they involve approaches that are common to all work groups. Our horizontals are Web accessibility, internationalization, security and privacy. 

The imperative

A technology isn’t truly beneficial to humanity if it isn’t safe, and security standards are an essential aspect of ensuring the Web is safe.

Security, along with Privacy, are integral to human rights and civil liberties and have long been important in the World Wide Web Consortium's agenda. W3C has a long history of improving Web security and our work has been instrumental through the development of authentication technologies that can replace weak passwords and help mitigate threats from phishing and similar attacks.

Security is essential to our digital lives as appropriate measures can create trust between people, organizations, businesses, and governments, and while advances on the web make it easier for people to interconnect, this results in a wider attack surface for servers. In other words, the more ways you allow people to interact with your site and products, the more ways bad actors have of attacking.
As users we want to engage with what we trust. We want to ensure our information, our money, and other resources aren’t stolen. We want to make sure we are interacting with who we really think we’re interacting with. As a provider of information, service, or product on the web we want to ensure that we reduce risks and costs, and that we increase trust and strengthen our reputation.

How W3C approaches Security

We follow a recipe that is simple but which details are of importance:

1. Develop security technology standards
2. Review the security of web standards
3. Guide Web Developers to design and develop in a secure manner

At the heart of developing the right security standards is threat modeling, which enables the creation of living documents that identify cross-areas threats and mitigations and provide information on residual risks, and in turn frame and guide technical specifications.

We are in the process of elevating the conduct of reviews from a pool of volunteers to a chartered group, called the Security Interest Group (SING) whose charter the W3C Members are currently assessing as part of approving the group. With a mission to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the Security Interest Group would also suggest changes to existing standards and technologies to improve the security of existing systems.

Last February, we welcomed to the W3C Team our new Security Lead, Simone Onofri. Among the many projects he set into place, he helped launch a cross-organization group, called the Security Web Application Guidelines (SWAG) Community Group, to guide Web developers and ensure a holistic approach to security through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

In focus: Digital Identities

In recent years we've seen the emergence of the paradigm of decentralized identity and credentials, where users have a digital wallet and control over their identity. All sectors, from social networks and education to enterprises and governments worldwide are considering becoming providers and consumers, with the intention to have digital credentials that are more secure and privacy-preserving than physical ones.

Given the societal, ethical, and technical impacts, Simone and the W3C Team wrote a paper on Digital Identities on the Web. "Identity & the Web" analyzes through different use cases the systemic impact on both the market side and the human side, as well as the role that Web standardization may play in managing that impact. We published the report this month and are looking forward to charting a credible and safe path to strengthen the position of the Web during this rapid evolution phase of the information ecosystem.

Key players

I want to conclude by emphasizing that as a horizontal area, Web Security matters to most and that most can be key players. Whether you are an independent developer or work for an organization that develops products or services, or are a user, your participation in Web Security can make a difference and will be meaningful: contributing to a Web that works for all humanity.