Securing the Web

Today, the TAG approved a new finding, "Securing the Web."

As the Web platform becomes more powerful, it also becomes more susceptible to a variety of attacks; someone who can pose as the server or modify content on its way to you can insert persistent scripts to track your activity, to modify what you see and even to access your data. These attacks affect all Web sites, not just "sensitive" ones, because the power the platform provides can be misused by attackers even if the site isn't using it.

At the same time, the IAB has issued advice to design for confidential operation by default, due to the pervasive monitoring attacks that have become prevalent recently.

So, after careful consideration, the TAG has found that:

* The Web platform should be designed to actively prefer secure communication — typically, by encouraging use of "https://" URLs instead of "http://" ones. * Barriers to adopting "https://" should be removed where feasible. * The end-to-end nature of TLS encryption must not be compromised on the Web, in order to preserve trust.

Please read the full finding for details. It is primarily aimed at those creating W3C specifications; if Working Groups need assistance, we encourage them to engage with us.

We expect that we will continue to focus on security issues as this finding is implemented.