Wednesday, December 29, 2010

Poll Time - What One Problem in Web Security Do You Want to Fix?


It is poll time. Doing a little planning and trying to figure out what people view as the biggest architectural weaknesses on the web security wise. I'm mainly focused on things within HTTP and HTML/JS/CSS themselves, not things at the TLS layer.

There is a small poll on the right hand side of the blog. If you have other ideas, pleas stick them in the comments.

A few things I didn't include as I wasn't sure what to do with them:
  • Fixing XSS. Change core web protocols/technologies to provide a much cleaner code/data separation. Maybe CSP does this well enough?
  • Fixing CA's and how they work. I consider this a related but separate problem.
  • Fixing CSRF. It could make the list and there are several options architecturally such as scope-cookies and/or the Origin header.
[UPDATE-1] - I'm interested in fixing to webservers, browsers, core protocols, etc. Not what individuals writing web apps should do to make their own apps more secure. So, for example, fixing Struts/Spring/etc. would be out of scope for this survey.

[UPDATE-2] - The item in the poll for improving authentication is partially about the HTTP protocol, but also about web browser UI, how auth data gets handled in the Chrome, etc.