Thoughts and directions on current Web3 security

Unusual Capital has participated in Ebay, Instagram, Dropbox and other projects; Wei Lien Dang is a partner of Unusual Capital and a co-founder of StackRox, a cloud native security company (StackRox was later acquired by Red Hat. Some thoughts were put forward in the field of security. The author made some comments to Wei’s article for everyone to discuss and think about.

a set of data

This article is about 3000 words, and the reading time is 18-25 minutes

Let’s first look at a set of data:

According to Crunchbase data, in 2021, there will be more than $1 billion in venture capital investment in this field of crypto security (Security & Regtech). Note that this figure is less than $100 million in total venture capital in 2020.

Thoughts and directions on current Web3 security

Image credit: Crunchbase

As the crypto market heats up, investors have begun to focus on security and compliance features.   

The evolution of internet security

In Web 1.0 and Web 2.0, Internet security changed with the evolution of application architecture to assist in the construction of a new Internet economic model; in the Web 1.0 era, Secure Sockets Protocol (SSL) was created by Netscape (A16Z ). Man’s previous startup, known for developing browsers) , gradually provides secure communication between the user’s browser and these servers. In the Web 2.0 era, major companies such as Google, Microsoft, and Amazon, as well as certificate authorities, have played a central role in promoting Transport Layer Security (TLS: Transport Layer Security). From a certain perspective, TLS is the evolution of SSL.

What is SSL (Secure Socket Layer)?

In 1994, Netscape developed SSL, which was initially conceived as a system: mainly to ensure secure communication between client (Client) and server (Server) systems on the network. Gradually, the IETF (International Internet Engineering Task Force) adopted the protocol and standardized it.

What is the IETF?

The Internet Engineering Task Force, established at the end of 1985, is an international non-governmental organization with the spontaneous participation and management of experts who have contributed to Internet technology engineering and development. It is also the technical standardization organization of the global Internet. Its main task is to be responsible for Internet-related technical specifications. R&D and formulation, most of the current international Internet technology standards come from the IETF.

What is TSL?

TLS is a secure transport layer protocol, which inherits the characteristics of SSL 3.0 and was released in 1999;

Let’s continue: From the data above, in 2021, investment in new Web3 security companies has increased by more than 10 times, which to some extent reflects the necessity of security for the entire industry.

The success of Web3 depends on innovative models, especially to solve the new security challenges brought by different application architectures. In Web3, the establishment of decentralized applications or “dApps” does not depend on the traditional application logic and data layers existing in Web 2.0; in the Web3 era, it is a model of blockchain, network nodes and smart contracts , to manage the logic and state of the decentralized Internet.

From the user’s point of view, it is still necessary to interact and update data by accessing a front end connected to these nodes. One scenario is: publishing new content or purchasing NFTs and other similar behaviors. This type of user behavior requires the use of a private key to sign transactions, and the private key is usually managed by a wallet. This mode is to protect the user’s control and privacy. Transactions on the blockchain are fully transparent, publicly accessible, and immutable.

Web3 usually does not require authorization and verification of behaviors like Web 2.0, but the problem is that it is difficult to solve the traditional way of solving security problems by updating and upgrading the system. (For example, the following is the ransomware sample released by Ben Rabbit, WannaCry, many people would cry when they saw it… But through the update that comes with Windows, this can be prevented to a certain extent)

Thoughts and directions on current Web3 security

Thoughts and directions on current Web3 security

We go on to say: Web3 users can maintain control over their identities and ownership of their data through the current model, but there are also certain problems: for example, there is no intermediary, in the event of an attack or a critical compromise, providing novice users with Recourse (for example, a Web 2.0 vendor will assist users in recovering stolen funds or help you reset passwords)

At this level, Web3 wallets still have the opportunity to leak sensitive information; software is software, and there will always be certain loopholes and flaws.

Therefore, the success of Web3 depends on how to innovate at the security level to solve the new security challenges brought by different application architectures.

status quo

The pursuit of individual ownership and data sovereignty also raises various security issues (because of differences in the level of individual understanding and familiarity with security knowledge) , but these security issues should not hinder the development of Web3.

Let’s look back in history: the similarities between Web 1.0 and Web 2.0. The original version of SSL/TLS had serious vulnerabilities. Early security tools are usually rudimentary and further refined over time. From a certain perspective, Web3 security companies and projects, such as Certik, Forta, Slithe, and Securify, are the equivalent of code scanning and application security testing tools originally developed for Web 1.0 and Web 2.0 applications.

However, in Web 2.0, a very important part of the security model is about the response. In Web3, a transaction cannot be changed once it is executed, so the idea of ​​security is usually that a mechanism needs to be established to verify whether the transaction should have the conditions of security, and then proceed, that is, security must be better in terms of prevention.

The Web3 community must think about how to plan technically, address systemic weaknesses , and prevent and prevent new attack vectors that target cryptographic primitives and smart contract vulnerabilities.

There are four directions below, which can promote the prevention of Web3 security model.

four directions

Source-of-truth data for vulnerabilities

There needs to be a source of truth for known Web3 (project) vulnerabilities and weaknesses. Today, there are already official vulnerability databases that provide core data for vulnerability management projects.

Web3 requires decentralized data correspondence work to eliminate information asymmetry. Currently, with incomplete (vulnerabilities, exposures, etc.) information scattered across the likes of SWC Registry, Rekt, Smart Contract Attack Vectors and DeFi Threat Matrix, Immunefi runs a bug bounty program to better find new weaknesses.

Security decision-making norms

In Web3, key security design choices, and event decision models are still being explored. Decentralization means that no one can take full responsibility for these problems, and the impact on users can be huge. The recent Log4j vulnerability, for example, is a wake-up call to leave security concerns to the decentralized community.

What is the Log4j vulnerability?

The Java open source tool log4j2 suddenly exposed a remote code execution vulnerability in December last year (a vulnerability that malicious actors can exploit to install malware on affected systems). Log4j2 is an open source log component tool applied to Java, which is widely used in business systems by many world-leading companies, well-known organizations and enterprises including Google, Microsoft, Amazon, etc.

Log4j2 is maintained by volunteers at the non-profit Apache Software Foundation.

Therefore, it is necessary to further clarify how DAOs, security experts, Web3 infrastructure providers such as Alchemy and Infura, and other relevant departments cooperate to deal with emergent security issues. However, you can refer to the experience of large open source communities forming OpenSSF and CNCF advisory groups to establish processes for dealing with security issues.

Authentication and signing

Most dApps on the market today, many do not have authentication or signatures for API responses. This means that when the user’s wallet retrieves data from these DApps, there is a risk in verifying that such responses are from the intended (real and not fake) application and that the data has been tampered with.

In a world where Dapps do not have the best way to adopt basic security routines, users can only confirm their security status and credibility. This is very difficult, and there really needs to be a better way to alert users to risks .

Better key management experience (Easier, user-controlled key management)

Key management is the basis for users to conduct transactions in the Web3 paradigm. Keys are also notoriously difficult to manage, and much of the encryption business has and will continue to revolve around key management.

The complexity and risk of managing private keys is also one of the main reasons why users choose custodial wallets over non-custodial wallets . However, the use of escrow wallets will lead to new phenomena: new “intermediary products”, such as Coinbase, will be generated, which will be detrimental to the direction and ideal of Web3’s complete decentralization; to a certain extent, it will also limit users’ use of Web3 The ability to provide all the advantages. Ideally, further security innovations will provide users with better usability protection user experience in unmanaged scenarios.

Notably, the first two (truth-source vulnerability data and prescriptive security decisions) initiatives revolve more around people and processes, while the third and fourth require new technological changes. Keeping new technologies, new processes, and large numbers of users in sync is one of the challenges of Web3 security.

However, one thing is still very encouraging: Web3 security innovation is carried out in an open, open source environment, and creative solutions will emerge in such scenarios.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/thoughts-and-directions-on-current-web3-security/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-03-19 10:17
Next 2022-03-19 10:19

Related articles