The next generation web — Web3 — has been hailed as more secure than the current incarnation of cyberspace, but a report released Tuesday warns that may not be so.
While Web3 may be difficult to subvert on an infrastructure level, there are other points of attack that may offer threat actors more opportunity for mischief than can be found in the legacy web, according to the report from Forrester, a national technology research company.
Web3 applications, including NFTs, aren’t just vulnerable to attack; they often present a broader attack surface than conventional applications due to the distributed nature of blockchains, Forrester reported.
Further, it added, Web3 apps are desirable targets because tokens can be worth substantial sums of money.
The openness of Web3, which is supposed to be one of its chief benefits, can be a detriment, too. “Code that’s running on a public blockchain is easily accessible, by anybody with the required technical skills, from anywhere in the world — no need to penetrate any corporate defenses in getting to it,” observed Forrester Vice President and Principal Analyst Martha Bennett, who is also a co-author of the report.
“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.
Undesirable Complexity
David Rickard, CTO for North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on the distributed control of data and identity by its users.
“That broadens the attack surface to individuals who may be unwilling or simply unable to handle management of their own data and identity, bringing a technical complexity to an arena that desires ‘easy to use’ above anything else,” he told TechNewsWorld.
“Individuals, going beyond text messaging, email, and scrolling through social media and shopping apps is a real challenge for them,” he added.
The Web3 idea of making code transparent and publicly available is unlikely to gain real traction, he maintained. “Between capital investors and users of blockchain financial systems and NFTs, there’s too much money at stake,” he said.
Making code transparent and public can also broaden the attack surface in obvious ways, he continued. “Secure coding practices that predict how one may misuse a system for nefarious gains aren’t that commonly practiced,” he explained. “It’s not easy to predict how people may use systems for purposes other than those intended.