Berners-Lee: Web security still a fight

Sir Tim Berners-Lee, credited as the inventor of the Web, has described online security as a "never-ending battle".
Written by Tom Espiner, Contributor

Sir Tim Berners-Lee, credited as the inventor of the Web, has described online security as a "never-ending battle".

Speaking at a lecture hosted by the Institution of Engineering and Technology in London last week, Berners-Lee said that, while he was against Web censorship per se, both technological and educational means should be employed to tackle Internet security issues.

"A lot of security work is going on [on the Web], but security is a never-ending battle," said Berners-Lee. "The Web is used by humanity, and humanity has a dark and a light side. I'm an optimist -- I think the light side wins. The Web is supposed to be a blank sheet of paper, and you can write dark things on that paper as well as light. If you tried to control the Web, you would end up with engineers deciding what the truth is, which is worse. But, if we see nasty things happening, we should try and tweak [the Web]. If you look at any protocol anywhere, there are technical and social restrictions."

Berners-Lee said that Web technology had been originally designed for "a friendly academic environment". Numerous technologies including e-mail and wikis had been conceived in a positive light, and are being used for good by large numbers of people. But he said that the negative side of technology use should be addressed.

"We made the e-mail system, and in turn it's used by a huge number of people. The person who designed wikis led to Wikipedia [being founded]. E-mail and the Web allow the mass sending of information, but were designed for a friendly academic environment. You have to look at the result: there are huge volumes of spam, phishing attacks -- that's bad, and we have to fix that -- that is the cycle of Web sites," said Berners-Lee.

Phishing attacks have the potential to damage consumer confidence in the Web, because consumers are "now not sure if it's [their] bank". Berners-Lee called for a mixture of technological and educational measures to mitigate Web-security issues. Technical means should be employed to mitigate current Web 2.0 threats, such as cross-site scripting attacks, he said, while good security practice should be encouraged among end users.

Cross-site scripting attacks exploit JavaScript flaws to inject malicious code into a Web page during a user's browser session. "Cross-site scripting attacks are a huge problem," said Berners-Lee. "Other times it's just straightforward education. Don't train users to type their passwords into Web sites in the clear. Banks are training [US users] to give their social security number. There are some security flaws they haven't thought they're training people to do."

Editorial standards