the company plans to release a toolbar for major browsers that will check visited Web sites for obvious security issues. The add-on software will check for twenty signs — such as the version numbers of the Web server and the content management system — to make sure that the site has no obvious flaws.

As I said, it seems like a good idea. It’s non-invasive, and it alerts users (even non security savvy ones) that a site may be insecure. Ultimately it provides a very real and direct consequence of lax security to e-commerce sites – be secure or you may scare off customers. (And we all know that fear of affecting the bottom line is often the only thing that makes corporate entities act in favor of security). The problem is that without being invasive (think SQL injection), you can’t really tell if a site is secure. I’m afraid that this is going to turn into another one of those McAfee hackersafe style logos – just a green light that makes you feel safe without actually doing anything.

Fast forward to today, and it’s remarkable how everything has changed. The web has begun supplanting the other 65535 ports on the internet. Although e-commerce was the first thing to change the web from a static billboard to a method of transmitting sensitive data, it is web applications which have done the most recently. Now everything occurs over the web – companies use SOAP to transmit sensitive information between them, and back-end databases frequently hold incredibly important data. Even services which were originally designed to function over other protocols, such as remote administration, email, and file transfer, have now begun to migrate to the web. The bottom line is that the web matters. There are still the electronic graffiti artists who want nothing more than their 15 minutes of fame on zone-h.org, but serious hackers are eying the web too.

I remember some time ago I got into a long discussion with someone at work that at its essence revolved around the question of whether or not the web mattered. I essentially argues my old position, more out of habit than anything else, while he argues that the web was of paramount importance (although admittedly he had other ulterior motives for taking that position). I was ultimately proven right only because the case we were dealing with turned out to be nothing more than a simple electronic graffiti artist. Despite being right in that single instance, I am being forced to change my overall position.

In terms of practical application, it means people can no longer blithely allow in traffic to their web servers on ports 80 and 443. Traffic must be examined, either by an intermediate network device or the web server itself to ensure safety. Web applications need to be coded securely, and web servers should in general not be trusted. (Don’t run the process as root, perform system calls in a sandbox, etc.)