Personal computers and Web servers were simply not designed to work together in a secure fashion. And as Web 2.0 pushes these machines to do increasingly innovative things, the strain is beginning to show, according to Sectheory.com's Hansen, who also maintains a Web site with a discussion forum on the latest Web attacks.
"This is really just fundamentally about how browsers work," he says.
Google Desktop, in particular, concerns Hansen, because with this type of service, vulnerabilities in the Web can ultimately affect the desktop. "If you allow a Web site to have access to your drive--to modify, to change things, to integrate, or whatever--you're relying on that Web site to be secure."
Sites like MySpace and eBay face this problem every day, but if Google's vision of rich desktop and Web integration becomes a reality, the security of Web 2.0 will matter for corporate users as well. "Historically, Google has not been very good at understanding these issues," Hansen says.
And though some researchers disagree with Hansen and say that Google has done an admirable job of keeping its site free of flaws, to a large extent the real Web security problem lies outside the control of sites like Google.
"There is no browser security model," says Alex Stamos, a founding partner of security consultancy Information Security Partners. "The problem is that Google is playing by the rules that Netscape laid down a decade ago."
Stamos calls the Web 2.0 model of sharing small user-generated programs, called widgets, "completely insane" from a security perspective.