Editing World Wide Web (section)

== Security ==
For [[criminal]]s, the Web has become a venue to spread [[malware]] and engage in a range of [[cybercrime]], including (but not limited to) [[identity theft]], [[fraud]], [[espionage]], and [[intelligence gathering]].<ref name=Ben-Itzhak /> Web-based [[vulnerability (computing)|vulnerabilities]] now outnumber traditional computer security concerns,<ref>{{cite web|author1=Christey, Steve|author2=Martin, Robert A.|name-list-style=amp|title=Vulnerability Type Distributions in CVE (version 1.1)|url=http://cwe.mitre.org/documents/vuln-trends/index.html|date=22 May 2007|publisher=[[MITRE Corporation]]|access-date=7 June 2008|url-status=live|archive-url=https://web.archive.org/web/20130317191715/http://cwe.mitre.org/documents/vuln-trends/index.html|archive-date=17 March 2013}}</ref><ref>{{Cite journal|title=Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary)|publisher=Symantec Corp.|journal=Symantec Internet Security Threat Report|volume=XIII|pages=1–2|date=April 2008|url=http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf|access-date=11 May 2008|url-status=dead|archive-url=https://web.archive.org/web/20080625065121/http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf|archive-date=25 June 2008}}</ref> and as measured by [[Google]], about one in ten web pages may contain malicious code.<ref>{{cite news|title=Google searches web's dark side|url=http://news.bbc.co.uk/2/hi/technology/6645895.stm|date=11 May 2007|work=BBC News|access-date=26 April 2008|url-status=live|archive-url=https://web.archive.org/web/20080307211615/http://news.bbc.co.uk/2/hi/technology/6645895.stm|archive-date=7 March 2008}}</ref> Most web-based [[attack (computing)|attacks]] take place on legitimate websites, and most, as measured by [[Sophos]], are hosted in the United States, China and Russia.<ref name=Sophos-Q1-2008>{{cite web|title=Security Threat Report (Q1 2008)|url=http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-threat-report-Q108.pdf|publisher=Sophos|access-date=24 April 2008|url-status=live|archive-url=https://web.archive.org/web/20131231084932/http://www.sophos.com/en-us/support/documentation.aspx?requested=eng%2Fmarketing_material%2Fsophos-threat-report-Q108.pdf|archive-date=31 December 2013}}</ref> The most common of all malware [[Threat (computer)|threats]] is [[SQL injection]] attacks against websites.<ref>{{cite web|title=Security threat report|url=http://www.sophos.com/sophos/docs/eng/papers/sophos-security-report-jul08-srna.pdf|date=July 2008|publisher=Sophos|access-date=24 August 2008|url-status=live|archive-url=https://web.archive.org/web/20131231084007/http://www.sophos.com/en-us/medialibrary/gated%20assets/white%20papers/sophossecurityreportjul08srna.pdf|archive-date=31 December 2013}}</ref> Through HTML and URIs, the Web was vulnerable to attacks like [[cross-site scripting]] (XSS) that came with the introduction of JavaScript<ref name=FGHR>{{Cite book|author1=Jeremiah Grossman|author2=Robert "RSnake" Hansen|author3=Petko "pdp" D. Petkov|author4=Anton Rager|author5=Seth Fogie|title=Cross Site Scripting Attacks: XSS Exploits and Defense|pages=68–69, 127|publisher=Syngress, Elsevier Science & Technology|url=https://theswissbay.ch/pdf/Gentoomen%20Library/Security/Cross%20Site%20Scripting%20Attacks%20Xss%20Exploits%20and%20Defense.pdf|archive-url=https://web.archive.org/web/20241115013526/https://theswissbay.ch/pdf/Gentoomen%20Library/Security/Cross%20Site%20Scripting%20Attacks%20Xss%20Exploits%20and%20Defense.pdf|archive-date=15 November 2024|year=2007|isbn=978-1-59749-154-9|access-date=23 January 2025|url-status=live}}</ref> and were exacerbated to some degree by [[Web 2.0]] and Ajax [[web design]] that favours the use of scripts.<ref>{{cite web |author=O'Reilly, Tim |date=30 September 2005 |title=What Is Web 2.0 |url=http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html |url-status=live |archive-url=https://archive.today/20120628212146/http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html |archive-date=2012-06-28 |access-date=4 June 2008 |publisher=O'Reilly Media |pages=4–5}} and AJAX web applications can introduce security vulnerabilities like "client-side security controls, increased attack surfaces, and new possibilities for Cross-Site Scripting (XSS)", in {{Cite journal |author=Ritchie, Paul |date=March 2007 |title=The security risks of AJAX/web 2.0 applications |url=http://www.infosecurity-magazine.com/research/Sep07_Ajax.pdf |journal=Infosecurity |archive-url=https://web.archive.org/web/20080625065122/http://www.infosecurity-magazine.com/research/Sep07_Ajax.pdf |archive-date=25 June 2008 |access-date=6 June 2008}} which cites {{Cite news |author1=Hayre, Jaswinder S. |author2=Kelath, Jayasankar |name-list-style=amp |date=22 June 2006 |title=Ajax Security Basics |publisher=SecurityFocus |url=http://www.securityfocus.com/infocus/1868 |url-status=live |access-date=6 June 2008 |archive-url=https://web.archive.org/web/20080515114747/http://www.securityfocus.com/infocus/1868 |archive-date=15 May 2008}}</ref> In one 2007 estimate, 70% of all websites are open to XSS attacks on their users.<ref>{{Cite news|author=Berinato, Scott|title=Software Vulnerability Disclosure: The Chilling Effect|url=http://www.csoonline.com/article/221113|archive-url=https://web.archive.org/web/20080418072230/http://www.csoonline.com/article/221113|archive-date=18 April 2008|work=CSO|page=7|publisher=[[CXO Media]]|date=1 January 2007|access-date=7 June 2008}}</ref> [[Phishing]] is another common threat to the Web. In February 2013, RSA (the security division of EMC) estimated the global losses from phishing at $1.5&nbsp;billion in 2012.<ref name="First_Post">{{cite web|url=http://firstbiz.firstpost.com/biztech/2012-global-losses-from-phishing-estimated-at-1-5-bn-16850.html|title=2012 Global Losses From phishing Estimated At $1.5 Bn|publisher=FirstPost|date=20 February 2013|access-date=25 January 2019|url-status=live|archive-url=https://web.archive.org/web/20141221122958/http://firstbiz.firstpost.com/biztech/2012-global-losses-from-phishing-estimated-at-1-5-bn-16850.html|archive-date=21 December 2014}}</ref> Two of the well-known phishing methods are Covert Redirect and Open Redirect.

Proposed solutions vary. Large security companies like [[McAfee]] already design governance and compliance suites to meet post-9/11 regulations,<ref>{{Cite news|author=Prince, Brian|title=McAfee Governance, Risk and Compliance Business Unit|url=http://www.eweek.com/c/a/Security/McAfee-Governance-Risk-and-Compliance-Business-Unit/|work=eWEEK|publisher=Ziff Davis Enterprise Holdings|date=9 April 2008|access-date=25 April 2008|archive-date=21 April 2024|archive-url=https://web.archive.org/web/20240421053243/https://www.eweek.com/security/mcafee-governance-risk-and-compliance-business-unit/|url-status=live}}</ref> and some, like [[Finjan Holdings]] have recommended active real-time inspection of programming code and all content regardless of its source.<ref name="Ben-Itzhak">{{Cite news|author=Ben-Itzhak, Yuval|title=Infosecurity 2008 – New defence strategy in battle against e-crime|url=http://www.computerweekly.com/Articles/2008/04/18/230345/infosecurity-2008-new-defence-strategy-in-battle-against.htm|work=ComputerWeekly|publisher=Reed Business Information|date=18 April 2008|access-date=20 April 2008|url-status=live|archive-url=https://web.archive.org/web/20080604061926/http://www.computerweekly.com/Articles/2008/04/18/230345/infosecurity-2008-new-defence-strategy-in-battle-against.htm|archive-date=4 June 2008}}</ref> Some have argued that for enterprises to see Web security as a business opportunity rather than a [[cost centre (business)|cost centre]],<ref>{{Cite news|author=Preston, Rob|title=Down To Business: It's Past Time To Elevate The Infosec Conversation|url=http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207100989|work=InformationWeek|publisher=United Business Media|date=12 April 2008|access-date=25 April 2008|url-status=live|archive-url=https://web.archive.org/web/20080414031843/http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207100989|archive-date=14 April 2008}}</ref> while others call for "ubiquitous, always-on [[digital rights management]]" enforced in the infrastructure to replace the hundreds of companies that secure data and networks.<ref>{{Cite news|author=Claburn, Thomas|title=RSA's Coviello Predicts Security Consolidation|url=http://www.informationweek.com/news/security/showArticle.jhtml?articleID=197003826|work=InformationWeek|publisher=United Business Media|date=6 February 2007|access-date=25 April 2008|url-status=live|archive-url=https://web.archive.org/web/20090207091418/http://www.informationweek.com/news/security/showArticle.jhtml?articleID=197003826|archive-date=7 February 2009}}</ref> [[Jonathan Zittrain]] has said users sharing responsibility for computing safety is far preferable to locking down the Internet.<ref>{{Cite news|first=Carolyn|last=Duffy Marsan|title=How the iPhone is killing the 'Net|url=http://www.networkworld.com/news/2008/040908-zittrain.html|work=Network World|publisher=IDG|date=9 April 2008|access-date=17 April 2008|url-status=dead|archive-url=https://web.archive.org/web/20080414043829/http://www.networkworld.com/news/2008/040908-zittrain.html|archive-date=14 April 2008}}</ref>