W3C wades in on browser security

17.10.2006
The World Wide Web Consortium (W3C) is taking a swing at the security problem that's on everybody's mind these days: Web browser security. In a statement, the group said that its new initiative, dubbed The Secure Browsing Initiative, would seek to build a foundation for a "more secure Web" and "help people make proper trust decisions." (http://www.w3.org/2006/10/security-pressrelease.html.en) Director Tim Berners-Lee (who invented the Web, after all) was quoted saying:

"There is much deployed and proven security technology, but we now need to connect it all the way through to the Web user. A Web browser acts on my behalf as I surf the Web, and I need more help from it to avoid being spoofed."

Lofty goals, indeed. So what does W3C have to offer? Well, they want to create a common understanding of what kinds of information browsers should provide to gauge "security context," then find ways to display that information and design secure Web browser interfaces that aren't susceptible to spoofing.

The new initiative grows out of a Workshop on Usability and Transparency of Web Authentication (http://www.w3.org/2005/12/security-pressrelease) in March 2006 that involved companies like Google, HP, IBM, KDE, Microsoft, Mozilla, Nokia, Opera, Sun Microsystems, VeriSign, Yahoo! with representatives of the online finance community that found interest in secure interfaces and the data required from content providers to enable those interfaces.

W3C is hoping to get participation from leading Web browser vendors and the security, research and financial sectors on this problem, not to mention IETF, OASIS, and Liberty Alliance.

Of course, there are no shortage of for-profit and not for profit entities already at work on this very problem. Antiphishing features are de rigeur among antivirus vendors, and most major vendors are going beyond merely blocking suspect sites. Symantec is just releasing their Norton Confidential product which is designed to spot malicious Web sites, block crimeware and protect confidential information. McAfee has SiteAdvisor, which is something akin to an online reputation system for Web pages. Moreover, antiphishing toolbars are commonplace from ISPs like AOL and EarthLink, Netcraft, and others. Microsoft has an antiphishing filter, and is at work on a technology called BrowserShield that will protect Web surfers from malicious Web sites and Web based attacks.