It is poll time. Doing a little planning and trying to figure out what people view as the biggest architectural weaknesses on the web security wise. I'm mainly focused on things within HTTP and HTML/JS/CSS themselves, not things at the TLS layer.
There is a small poll on the right hand side of the blog. If you have other ideas, pleas stick them in the comments.
A few things I didn't include as I wasn't sure what to do with them:
- Fixing XSS. Change core web protocols/technologies to provide a much cleaner code/data separation. Maybe CSP does this well enough?
- Fixing CA's and how they work. I consider this a related but separate problem.
- Fixing CSRF. It could make the list and there are several options architecturally such as scope-cookies and/or the Origin header.
[UPDATE-1] - I'm interested in fixing to webservers, browsers, core protocols, etc. Not what individuals writing web apps should do to make their own apps more secure. So, for example, fixing Struts/Spring/etc. would be out of scope for this survey.
[UPDATE-2] - The item in the poll for improving authentication is partially about the HTTP protocol, but also about web browser UI, how auth data gets handled in the Chrome, etc.