Web3 Complexity Is a Security Challenge as Adoption of the “New Internet” Grows

NFT stickers sit on a stand at ETHDenver on February 18, 2022 in Denver. (Photo by Michael Ciaglo/Getty Images)

Web3 – or the new Internet – is becoming more common lately.

Despite the crypto crash, internet giants have been steadily investing in Web3 over the past few months. Meta began testing NFTs on Facebook with select creators; eBay acquired NFT market leader KnownOrigin; Mastercard has opened its payment network to Web3.

As the new Internet revolutionizes industries and encourages innovation, cybersecurity experts are highlighting the security threats associated with it and urging businesses to better understand them as they move forward.

Defining Web3 from a security perspective

The World Wide Web has moved from a static web to a dynamic web.

In Web1, most pages were static with mostly textual content. During this time, the SSL (Secure Sockets Layer) protocol was introduced to protect communication between servers and users’ browsers.

Web2 has generated a more dynamic experience where users can interact with each other through user-generated content and third-party programs. Web2 intermediaries, such as Google and Microsoft, have facilitated the use of Transport Layer Security (TLS), which is the expanded version of SSL.

Web3 is a decentralized form of the Internet.

“It’s open, trustless and permissionless,” said Kevin Curran, professor of cybersecurity at the University of Ulster.

For Curran, open source software free to use and extend is the foundation of Web3. In addition to this, the trustless aspect suggests that all users can interact without a trusted third party. Unauthorized indicates that users can join the network without permission from governing entities.

In Web3, decentralized applications (dApps) require different database layers and application systems, such as blockchains and smart contracts, to achieve high security and reliability.

“Our security model has grown from a simple application architecture at the start to an insane level of complexity to navigate the virtual world we are creating,” said Ian Thornton-Trump, CISO of Cyjax Ltd.

Security Threats Under Web3 Development

Web3’s priority on anonymity and privacy makes it difficult for companies to track and investigate the identity of hackers. For example, in the cryptocurrency market, users’ wallets and transactions are visible on the blockchain address but are not directly linked to the true identity of the owners. This weak user authentication reduces the cost of attacks and allows hackers to easily evade prosecution.

Once an attack occurs in Web3, the system cannot be easily repaired.

“In Web2, most of our security work is reactive – we react to security incidents, and in many cases we can roll back,” said Wei Lien Dang, general partner at Unusual Venture. “But in Web3, transactions are immutable, meaning they can’t be undone once they’ve occurred.”

Therefore, Web3 requires security to be more preventative rather than relying on detection and response from Web2.

While the emergence of new tools and languages ​​brings new vulnerabilities, Dang suggests that some of these vulnerabilities are not totally different from those in Web2.

“Key management is an example where the technology isn’t entirely new — it’s just that the burden hasn’t traditionally shifted to end users,” Dang said. “To properly manage keys, companies need to decide how to implement them and who should be responsible for them in Web3.”

Early security measures get stronger over time

More and more companies are starting to pay attention to Web3 security, which many cybersecurity experts consider a good sign. Investments in crypto security grew nearly 10-fold last year, reaching $1 billion, according to data from Crunchbase.

For new companies looking to enter the field, Michael Fey, co-founder and CEO of Island, encouraged them to start with low-risk applications and think outside the box when implementing.

“It’s important to rethink security by design.” Fey said. “Companies need to be part of the community, build their own sample apps, and test their infrastructure.”

If we look at the early security measures in Web1 and Web2, they all had initial vulnerabilities and got stronger over time. Web3 security companies and projects, such as Certik, Slithe, Forta and Securify, are the equivalent of code analysis and application security testing tools designed for Web1 and Web2, according to Dang.

“Innovation is happening at such a rapid rate that it can be difficult to identify and react immediately to every security challenge,” Dang said. “But I’m confident the ecosystem will catch up.”

Sharon D. Cole