Web3 — or the new internet — is growing more mainstream recently.
Despite the crypto crash, internet giants have continually invested in Web3 over the past few months. Meta started testing NFTs on Facebook with selected creators; eBay acquired leading NFT marketplace KnownOrigin; Mastercard opened its payment network to Web3.
While the new internet revolutionizes industries and incentivizes innovation, cybersecurity experts point out its associated security threats and urge companies to better understand them while moving forward.
Defining Web3 from a security perspective
The World Wide Web has evolved from a static web to a dynamic web.
In Web1, most pages were static with basically text contents. During this time, the secure sockets layer (SSL) protocol was introduced to protect the communication between servers and user browsers.
Web2 generated a more dynamic experience where users can interact with each other through user-generated content and third party programs. Web2 intermediaries, such as Google and Microsoft, facilitated the use of transport layer security (TLS), which is the developed version of SSL.
Web3 is a decentralized form of the internet.
“It is open, trust-less and permission-less,” said Kevin Curran, a cybersecurity professor at Ulster University.
For Curran, open-source software that is free to use and expand is the foundation of Web3. On top of that, the trust-less aspect suggests that all users can interact without trusted third-parties. Permission-less indicates that users can join the network without the permission of governing entities.
In Web3, decentralized applications(dApps) require different database layers and application systems, such as blockchains and smart contracts, to achieve high security and reliability.
“Our security model went from a simple application architecture in the early days to a crazy level of complexity to navigate the virtual world that we are creating,” said Ian Thornton-Trump, CISO of Cyjax Ltd.
Security threats under Web3 development
Web3’s priority on anonymity and privacy makes it hard for companies to track and investigate hackers’ identity. For instance, in the cryptocurrency market, users’ wallets and transactions are visible on the blockchain address but are not directly connected to owners’ true identities. This weak user-authentication lowers the cost of attacks and allows hackers to easily escape prosecution.
Once an attack occurs in Web3, the system cannot be easily fixed.
“In Web2, most of our security work is responsive — we react to security incidents, and in many cases, we can roll things back,” said Wei Lien Dang, a general partner at Unusual Venture. “But in Web3, transactions are immutable, which means they cannot be reversed once they take place.”
Therefore, Web3 demands security to be more preventative rather than relying on the detection and response of Web2.
While the emergence of new tools and languages lead to new vulnerabilities, Wei suggests that some of those vulnerabilities are not totally different from those in Web2.
“Key management is an example where technology is not entirely new — it is just that the burden has traditionally not been shifted to end-users,” Dang said. “To manage keys properly, companies need to decide how to implement it and who should be responsible for it in Web3.”
Early security measures become stronger over time
More companies are starting to pay attention to Web3 security, which many cybersecurity experts consider as a good sign. Investment in crypto security increased nearly 10 times last year, reaching $1 billion, according to Crunchbase data.
For new companies that want to enter into the field, Michael Fey, co-founder and CEO at Island, want them to start with low-risk applications and think outside the box when it comes to implementing.
“It is important to rethink security by design.” Fey said. “Companies need to become a part of the community, build their own sample applications, and challenge their infrastructure.”
If we look back to the early security measures in Web1 and Web2, they all had initial vulnerabilities and became stronger over time. Web3 security firms and projects, such as Certik, Slithe, Forta, and Securify, are the equivalents of code-scanning and application security testing tools designed for Web1 and Web2, according to Dang.
“Innovation occurs at such a rapid speed that it can be hard to immediately identify and react to all of the security challenges,” Dang said. “But I am confident that the ecosystem will catch up.”