Is Web 2.0 Safe?

Staying Safe

Web-coding bugs are still extremely common, but Web site operators have only recently started to root them out in a concerted way.

"Oddly, there isn't that much research in terms of 'How do you build a Web site in practice, and what are the best practices that would allow a company to protect themselves?'" says Michael Barrett, chief information security officer for eBay's PayPal division. "If there is an emerging set of best practices, I'd argue that not many practitioners know what they are."

And the nature of Web 2.0 security bugs limits what individual users can do to avoid them. You can keep some cross-site request forgery attacks at bay by switching to a different browser to access Web 2.0 sites that house your sensitive information. If you're browsing with Firefox, for example, you could log on to your banking site in Opera. Any sites you browse in Firefox won't have access to the Opera cookie that keeps you logged in.

Cross-site scripting attacks can be more difficult to avoid. As always, it helps to be careful in choosing which links to click, but that doesn't protect you from a threat like the Samy worm, which could affect a site that you do trust. As Web 2.0 security continues to evolve, you may want to rethink how much of your sensitive personal information you're willing to store online.

Ultimately, Barrett thinks that Web security standards like the WS* specifications go some distance toward solving the Web security problem, but he agrees that many of the basic Web standards, such as JavaScript and HTTP, must be rethought. "We need to reevaluate those standards and potentially rewrite some of them to make this stuff safer," he says. "If enough companies stand up and say there's a problem here, then the industry will start to move."