Rob Behnke
June 16th, 2022
The Internet has progressed through multiple stages of evolution. The original Web (Web 1.0) was composed of static pages. Web 2.0 added dynamic and interactive webpages and user-generated content to create the Web that we know today.
Web 3.0 (or Web3 as it’s more widely known) is the next stage in the evolution of the Web. Web3 uses blockchain technology to create a more decentralized web. Instead of independent sites hosted on a particular server, Web3’s use of the blockchain provides greater resiliency, protection against censorship, and other benefits.
Web3 faces many of the same security risks as Web2. However, the differences between the two technologies create new security risks and amplify others. Below, we’ve outlined some of the main security implications of Web3.
In Web 2.0 and traditional IT, a significant percentage of IT security work is responsive. If a vulnerability is discovered in a production application, then a patch is deployed to fix the issue. If data on a server is corrupted or encrypted by ransomware, it can be “rolled back” to a clean state from a backup.
With Web3, data is stored on the blockchain’s immutable ledger. If attacks recorded on the blockchain can’t be reversed, they need to be prevented. This makes it necessary for Web3 security to be more proactive and prevention-focused, rather than the focus on detection and response of Web2.
In Web 2.0, proving real-world identity is a major focus of many systems. Companies want to sell users’ data and prevent spam on their systems, so they work hard to authenticate users. This has security benefits as well because it can help with deterring, investigating, and responding to threats.
Blockchain-based systems like Web3 are pseudonymous with users identified by their public key and blockchain address. In Web3, key management and security are major concerns, and weak user authentication makes attacks easier to perform and complicates the identification and prosecution of attackers.
Web2 is extremely centralized. Major tech companies (eg. Meta, Twitter, etc.) control a significant percentage of Web traffic and infrastructure. This has significant privacy implications but also means that these organizations own their security and can bring significant resources to bear on securing their infrastructure.
Decentralization is a major tenet of Web3; however, decentralization has security implications. With decentralization, no-one “owns” the security of a system, and decision-making is distributed. Governance by consensus is generally slower, decentralized systems have no means of forcing nodes to install security updates, and decentralized governance schemes can be a target of attacks as well.
Cybercrime is financially motivated. Many of the most common attacks — such as ransomware — provide a clear path to profit. In general, stealing money on Web 2.0 involves stealing valuable data (payment card information, data that can be used for fraud, etc.) and monetizing it in some way.
In Web 3.0, money is built into the Web itself in the form of cryptocurrencies. This makes it easier for cybercriminals to monetize their attacks, as demonstrated by over $26 billion in DeFi hacks to date, which makes financial attacks and security more important to consider.
Kerckhoffs’s Principle states that no system should rely on security via obscurity. Software developers shouldn’t try to secure their systems by attempting to obfuscate and hide any vulnerabilities in the hopes that an attacker won’t be able to find them.
However, this practice is common with Web 2.0. And, despite not being security best practice, it does have its benefits. Attackers commonly look for low-hanging fruit, and code that is difficult to read and analyze is less likely to have its vulnerabilities discovered and exploited.
In Web 3.0, relying on security via obscurity is no longer an option. Many projects are open-sourced on GitHub, and those that are not open-sourced have source code that can be downloaded from the blockchain and decompiled. This increases the probability that vulnerabilities will be discovered and exploited, making it even more important to find and fix them before code is deployed on the blockchain.
Web3 is still in its infancy, and significant development will be needed before it supplants Web2 As the technology evolves and matures, some security risks may be conclusively resolved and others may be created.
Web3 security is vital to the success and widespread adoption of Web3 technology. Halborn security experts have extensive experience in Web3 technologies and are passionate about driving the space forward securely. To talk about Web3 and how security needs to evolve to meet its needs, reach out to our Web3 security experts at halborn@protonmail.com.