Berners-Lee: Web security a 'never-ending battle'

The man credited with invention of the world wide web, Sir Tim Berners-Lee, has warned that web security is a "never-ending battle".

Speaking at a lecture hosted by the Institution of Engineering and Technology in London on Thursday, Berners-Lee said that, while he was against web censorship per se, both technological and educational means should be employed to tackle internet security issues.

"A lot of security work is going on [on the web], but security is a never-ending battle," said Berners-Lee. "The web is used by humanity, and humanity has a dark and a light side. I'm an optimist — I think the light side wins. The web is supposed to be a blank sheet of paper, and you can write dark things on that paper as well as light. If you tried to control the web, you would end up with engineers deciding what the truth is, which is worse. But, if we see nasty things happening, we should try and tweak [the web]. If you look at any protocol anywhere, there are technical and social restrictions."

Berners-Lee said that web technology had been originally designed for "a friendly academic environment". Numerous technologies including email and wikis had been conceived in a positive light, and are being used to the good by large numbers of people. But he said that the negative side of technology use should be addressed.

"We made the email system, and in turn it's used by a huge number of people. The person who designed wikis led to Wikipedia [being founded]. Email and the web allow the mass sending of information, but were designed for a friendly academic environment. You have to look at the result: there are huge volumes of spam, phishing attacks — that's bad, and we have to fix that — that is the cycle of websites," said Berners-Lee.

Phishing attacks have the potential to damage consumer confidence in the web, because consumers are "now not sure if it's [their] bank". Berners-Lee called for a mixture of technological and educational measures to mitigate web-security issues. Technical means should be employed to mitigate current Web 2.0 threats, such as cross-site scripting attacks, he said, while good security practice should be encouraged among end users.

Cross-site scripting attacks exploit JavaScript flaws to inject malicious code into a web page during a user's browser session. "Cross-site scripting attacks are a huge problem," said Berners-Lee. "Other times it's just straightforward education. Don't train users to type their passwords into websites in the clear. Banks are training [US users] to give their social security number. There are some security flaws they haven't thought they're training people to do."