Web3.0: Security considerations and implications

Innovation is just creativity applied with technology — Joshua J S Morley

If you’ve seen one of my lectures or read one of my articles before you’ll be familiar with this quote but I think I think it’s very important to highlight due to the topic of this article. Because the creative people working with Web3.0 and other emerging technologies are creating projects that will become the foundation for the next level of widespread technology used by future generations.

Today I'm going to be talking about some important considerations and implications of not securing web3 and other emerging technologies.

The content of this article will be as follows:

• I’ll start by giving a background into web1 and web 2
• Then I’m gonna talk about web 3, the two schools of thought surrounding the definition (and what I think the future and Web3.0 will look like)
• I’ll then go into some considerations and some implications of not providing sufficient security for web 3
• And I'll end on some suggestions for things you should consider when developing for Web3.0

But before we can start talking about the considerations and implications of secure programming for Web3.0 let’s start with the fundamentals what is Web1.0 (also knows as the syntactic web) and Web2.0 (also known as the social web).

Web1.0 & Web2.0

Web1.0

Now the terms web 1,2 and 3 were coined by Tim’s Bernes-Lee (widely credited as the founder of the web). Web1.0 is also referred to as the “syntactic web” or the “read only web” and this was the early iteration of the World Wide Web that allowed people effectively to just search for information and read it (oversimplification but you get me), there was not a whole lot of engagement with the web outside of consumption of information and engaging with the web on a deeper level required knowledge of programming syntax (which is where the name comes from).

In general Web1.0 applied a brick and mortar mindset to the digital realm, the web was a decentralised library of knowledge, and people could purchase things through e-commerce websites, but you would be traveling through the web browsing for the most part, not contributing or changing things.

Web2.0

Web two is also known as the “read-write web” or the “social web” and this was as a result of the rise of interactive web services such as email, user groups, blogs and ultimately social media platforms.

Web2.0 saw people beginning to interact on the web and socialise, not just consume information. It’s also used to describe a web dominated by a select few tech giants where the majority of web traffic is filtered through these 5 to 8 companies

Image Credit Sandvine

Big tech dominating web usage and traffic is actually one of the primary drivers behind people (especially blockchain enthusiasts) wanting to move towards what they call ‘web3’ or ‘the decentralised web’ and this is the second camp of thought I’ll be talking about in just a moment.

Web3.0

The mysterious Web3

So what is Web3.0/web3? Because there are many tik-tok’s, many videos and many people talking about it (without really giving a clear definition or description). I’ll typically see a whole list of technologies that are popular buzzwords (including ‘blockchain’, ‘cryptocurrency’, ‘NFT’, ‘decentralisation’) But I wont see any kind of description or realistic outlook on how we can achieve a fully decentralised web and what implications arise as a result of it. Before we go into the blockchain web3 rabbit hole, its important to talk about the original Web3.0, the “semantic web”.

The Semantic Web

‘The semantic web’ term was described by Tim Bernes-Lee in 1999 and first titled ‘Web3.0’ in 2006 and it describes a web where computers or artificial intelligence are capable of parsing/analysing the internets data and intelligent agents would be able to interact with people. This understanding is the first school of thought around Web3.0.

Now when we talk about these two different camps I believe they’re both describing components of the same thing, just different sides of the table.

‘web3’ as described by blockchain enthusiasts is a term coined in 2017 by Gavin Wood (co founder of Ethereum) and is typically used to describe a decentralised web that moves away from big tech. This term is popular in blockchain based financial circles that are centered around cryptocurrency, NFTs (Non-Fungible Tokens) and DAOs (Decentralised Autonomous Organisations), etc.

The AI Web3.0 (as first mentioned by Tim Berners Lee in 2006), is typically used by information architects and the World Wide Web Consortium (WWWC), and is typically used to described an evolution on Web2.0 adopting advances in human computer interfaces and the use of artificial intelligence.

Criticism of Web3.0/web3

Most of the criticism of the two definitions of Web3.0 target the utopian hype of either a fully decentralized internet running on blockchain, or the idea of a fully machine parseable web.

For example Elon Musk and Jack Dorsey dismiss the blockchain web3 as “buzzwords” and “venture capitalist playthings”, highlighting the volatile nature of the technologies who’s ‘value is almost entirely based on public opinion’ (Elon Musk would know).

Whereas critics of the semantic web over the 2 decades its been around have mainly commented on the feasibility of formalizing the mass of knowledge in a machine parseable and interpretable manner (further, many of these criticisms were made before the recent advancements in artificial intelligence)

I believe both of these approaches will be components of the ‘actual Web3.0’. I also believe a Web3.0 is inevitable, but in the same way there are still Web1.0 websites now, there will still be Web1.0 and Web2.0 sites when Web3.0 comes around.

Josh’s definition: Web3.0

So I don't think it would be fair for me to criticise people for fluffing around the definition without providing one myself.

So here is my prediction and definition of Web3.0

“A web that embraces interactivity through virtual (metaverse) and mixed reality, and will be enabled by the Internet of Things, where smart devices will provide feedback, input or outputs and facilitate the seamless interface between the internet and our real-world environment.

The Web will have intelligent agents and AI will not only find, interpret and communicate information but will also create (GenAI)

and decentralized currencies, artifacts and organizations will democratize parts of our web experience bringing some power back into the hands of the users” — Joshua J S Morley

Web3.0 Security Implications

But this all presents a problem.

I gave a presentation last year talking about the security implications of the Internet of Things, and mention things like pacemakers being hackable (malicious actors could remotely access the pacemakers, perfoming actions such as change the pace of the pacemaker, administer a shock , or discharge the battery). But when we consider all the things web3 will bring it’s an even scarier thought!

• If all of your finances are in a crypto that suffers a 51% attack / Rugpulls
• If your metaverse tactile feedback suit gets hacked an crushes your vitals
• If you have to store all of your private keys, (its tough to lug out a tv but malicious actors can target USB drives when robbing a house.)

So what are some things that we as security professionals need to consider when preparing for jobs in web3

First I want to share some considerations and cautionary tales that we are currently facing in web3.0 technologies and jobs, then I'll provide a list of recommendations

Authentication and authority

Most Decentralised Applications (dApps) today do not authenticate or sign their API responses, I think that speaks for itself. If you're building web3 apps, basic things like API authentication must be included. Imagine a decentralised bank app that doesn’t do API authentication or response signing.

Furthermore lots of dApps claiming to be web3.0 applications currently use centralised services like Infura or Alchemy. Moxie Marlinspike, the creator of signal and co-author of the signal protocol documents issues with ‘web3.0’ platforms in his blog, where he identified that dApps themselves typically aren't distributed, they are just react websites, but the decentralised part is the state and permissions lies on the blockchain instead of a centralised database. He goes on to point out that OpenSea, the largest NFT marketplace, removed an NFT he created with no justification needed or provided, bringing light to the issue that even NFTs, a shining star of the web3.0 blockchain world, are controlled by web2 companies. So how can we remove this centralised control points when even web3 apps naturally gravitate towards the model

Cryptographic key management

Finally a common factor of many blockchain technologies is user controlled cryptographic key management. You have a private key for your wallet, application, authentication server. Losing this key, or losing possession of this key is devastating. So many people use platforms (web2 platforms) such as Coinbase to act as a custodians or intermediaries to manage your private keys and wallets

Like I said earlier, I don’t believe we will go to a fully decentralised web, but a consideration for security experts in web 3 will be the management of many cryptographic keys without relying on centralised organisations

Security vs Sustainability

A big differentiator of blockchain is its security applied in a decentralised nature, this decentralised security does come at a cost in terms of energy and sustainability. To prove the correctness of data and transactions, blockchains can use a number of different “proof of” functions. 2 big ones are:

• Proof of Work: Miners compete to solve complex equations and are rewarded by fastest solver getting the right to add new transactions to blockchain

And

• Proof of Stake: Validator stakes a certain value of their own crypto as collateral, validator is rewarded with right to create next block in blockchain and maintain public ledger in proportion to their stake in network

Proof of work is more secure (and more time hardened), but is significantly more expensive in terms of energy consumption. In fact, the Ethereum blockchain is moving away from PoW to PoS and has stated they expect to see a 99% reduction in energy usage. A staggering fact is that, bitcoin (which uses proof of work) accounts for 0.6 of all the energy usage in the world (July 2021).

Cryptographic technology utilisation ≠ automatically secured

We also have to remember that cryptographic technologies doesn’t automatically mean perfect security. Traditional considerations such as information architecture and data securing still apply, and the requirement of a web3 app of having information on public blockchains doesn’t mean that no information needs to be encrypted, private and secured. Yes I can go to HotSpotty and see beacon witnesses, challenges and mining rewards for a helium hotspot. But I shouldn’t (and cant) see the full name, address, phone number and email for the owner of that hotspot. Some information can be public some should be private

The (second) internet is full of people ‘making the move to web3’. Whilst I enthusiastically encourage everyone, technical or otherwise to upskill in technology and learn one of the many forms of development, because many web3.0 developers are hobbyists, hackathon participants or young keen entrepreneurs who just want to get to market, the focus of security by design is vacant. It’s a very tough thing to do but we need to develop some baseline security requirements for all these emerging blockchain technologies

Education is vital

With the democratisation of data and shifting data ownership from centralised platforms into the hands of the user, education is more important than ever. Part of this is that there are currently many ‘restrictions’ in place that act as a safety net for people to protect them from not only malicious actors but also accidents.

However what about a world where your metaverse avatar and username is your identity, and spoofing can result in simple, automatable and large scale identity theft and impersonation.

What about a world where the loss of a cryptographic key on a usb can mean the loss of your life savings

Or what about a world where social media information is machine readable and interpretable by AI models and thus open to automated exploitation

Its vital that we continue to educate the public on how to staty safe, secure and adopt these new advances.

Impact of failure

Because the impacts of failure are far greater if we lived in a world without these safety nets, and the reality of a decentralised world is a lack of regulation and resulting safety nets.

We’ve seen kids order dozens of pizzas with their parents credit cards, but what about kids maxing a credit card on a crypto that gets rugpulled. NFT scams, enticing people with get rich quick schemes. Tinder swindlers dating multiple people around the world in the metaverse.

Machine interpretable data mining and exploitation

In a future where AI can interpret data, we can count on intelligent agents being written to exploit human emotion and vulnerabilities. We already see the emergence of automation exploiting innocent people with the fake Instagram accounts scam not to mention the mass of email and SMS scams we see.

But what about a world where AI can train itself on a model for each target and specifically target individuals vulnerabilities or extort specific people from information scraped from the web

Bio-Integrated Technology

Lets talk about bio integrated technologies (Brain implants, biometric circuit tattoos, and other biometric interfacing devices). As we see more and more of these technologies that are integrated with our bodies, and technologies that allow us to interact with mixed or virtual reality, we must ensure that they are secured. Because the impact of failing to secure technology that is integrated into our bodies could be fatal.

Art imitates life (and so will scams)

Art imitates life, specifically with deepfakes. GANS and increasingly smart chatbots could be used to completely fabricate a person for mass fraud and scamming. Imagine the tinder swindler where it’s a AI on the other side, not a person, the scale of fraud artificial intelligence provides is significant.

Accountability in decentralised world

Wow do we have accountability in a decentralised world? The recent Log4j vulnerability teaches us an important lesson on accountability and implications for a decentralised future. Decentralised projects may mean there is no dedicated accountability, and without accountability we need to start thinking about guarantees we can substitute in, to ensure issues are disincentivised.

Suggestions for approaching Web3.0 in a secure way

SO, I just bombarded you with a ton of information, factitious comments and only a slight tad of sarcasm. But what helpful suggestions can I give you to go out into the future of web3 in a secure manner

1. Design with ethical practices in mind, this is hugely important when designing for machine interpretable data on people (you can read my article on ethics of computer vision if this interests you)
2. Build in the detection (and elimination) of fraud, scam and unethical use of your platform
3. Many web2 security practices still apply to web3. Adopt existing security principles by default
4. Consider whether decentralising an application is necessary, realistic and what implications on security there are if you do decentralise
5. Consider the sustainability impact of applications and whether the heightened security is necessary
6. Classify your data, what should be public and what should be private
7. Encourage developers to design with security in mind. Remind them of the cost of failure for security on web3 (poly network hack)
8. Educate your peers and network and encourage a mindset of learning and questioning
9. The more dangerous it is to somebody’s health (physical or mental) the more it should be secured

In this article I have given a background into Web1.0, 2.0 & 3.0, given my own definition and prediction of Web3.0, and spoken about some issues that could arise in Web3.0 due to security decisions, as well as providing some suggested considerations for developers working in the Web3.0 space.

I humbly request if you liked the content, it was informative or thought provoking, please do follow me as both a mechanism of receiving new work I put out, but also to support my efforts on this blogging journey I'm making.

Thank you and best regards,
Josh

You can join medium here to read more about crypto, blockchain and many more.

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• What are the Trading Signals? | Bitstamp vs Coinbase
• ProfitFarmers Review | How to use Cornix Trading Bot
• How to Buy Domain Name on Unstoppable Domains?
• Crypto Tax in India | altFINS Review | Prokey Review
• Earn Sign-up Bonus — 10 Best Crypto Platforms