The shift from Web 1.0 to Web 2.0 exposed businesses to a whole range of new security risks. The ability for any user to post content to the Internet meant untrusted and malicious inputs could more easily compromise websites, leak data, and infect databases.
As businesses begin exploring the new world of Web3, they will have to face another crop of security vulnerabilities — some of which they may not have encountered before. Businesses experimenting with Web3 will need new approaches to meet those challenges.
Web3 is a vision for a version of the Web that is decentralized and collectively owned. Web3 technology is built on decentralized databases that require majority consensus for any change or update.
To summarize how Web3 differs from previous Web technology:
Web 1.0 is read: Users can obtain data on the Web but cannot interact with it.
Web 2.0 is read-write: Users contribute data to the Web, for instance by uploading content.
Web3 is read-write-own: Users do not just contribute data; they own their data.
This read-write-own concept is made possible by a few basic principles:
For much of the Internet’s history web applications have been controlled by centralized providers. These providers control the application's logic and data, and can edit and erase it however they want.
In Web3, web applications are distributed across a peer-to-peer (P2P) network of connected nodes. There is no central authority or controller, data is always visible to all nodes, and data cannot be erased or altered without consensus from the network.
Web3 requires a majority consensus from the network to validate new transactions or updates. Blockchains use proof-of-work (PoW) and proof-of-stake (PoS) validation mechanisms to achieve consensus.
Web3 relies on cryptography, especially hashing, to ensure data is never altered or removed without agreement from the supporting network.
For example, a given block on a blockchain cannot be changed on its own, because its hash is recorded on the following block. Changing a block will change the value of the subsequent block, which would invalidate the hash on the block following that, and so on. In other words, any change would require changing much of the rest of the blockchain. Such changes do occur, but they require broad consensus from the supporting network and are highly resource-intensive.
In many ways, this makes Web3 more secure than Web 2.0. Participating clients are certain of receiving the exact data they request, and the requested data cannot be altered — or replaced with something malicious. Clients do not have to trust a centralized provider; implicit trust is built into the blockchain.
There are several ways businesses are exploring the possibilities of Web3, ranging from decentralized application architectures to more resilient methods of file storage.
Blockchain is a method for recording transactions in chronological blocks of data across a distributed network. Data written to the blockchain cannot be changed.
One of the most widely known applications for blockchain is cryptocurrency, which is the crucial component of the decentralized finance (DeFi) services in use today. But developers can also write decentralized applications (DApps) that use a blockchain to execute (including non-fungible tokens or NFTs).
Smart contracts are the logic of DApps. A smart contract is code designed to carry out specific functions — like any other programmable function, smart contracts execute upon being called. Smart contracts are created and stored on blockchain networks.
From a development perspective, DApps offer businesses the advantage of not having to manage and maintain the full backend infrastructure necessary for supporting an application. Smart contracts are stored on the blockchain and operate autonomously. An organization deploying a DApp does usually need to deploy and maintain a user interface as well, using an intermediary service to make API queries to smart contracts on the backend.
DApps are reliable since they run on a vast peer-to-peer network, while centralized apps go down if their supporting infrastructure goes down.
Finance is one major use case for DApps — examples range from cryptocurrencies, to wallets, to decentralized exchanges. Additionally, developers have built DApp web browsers, games, social networks, and other services as well.
Decentralized finance (DeFi) is a collection of methods for obtaining financial services without relying on centralized authorities like banks. DeFi users can give or receive loans; buy, sell, and exchange cryptocurrencies; earn interest; and perform other tasks associated with the financial services sector, all using decentralized platforms. DeFi is built largely on smart contracts (supported by the Ethereum blockchain). Centralized exchanges support DeFi (like Coinbase), but DeFi protocols are inherently decentralized.
Blockchain's decentralized storage of transactions makes it a core building block for Web3, but it is not the only type of architecture that businesses are experimenting with. The Interplanetary File System (IPFS) is another (non-blockchain) protocol for implementing Web3 principles. IPFS stores data in a distributed file system. The address of content provided via IPFS cannot be changed — updates result in a new, unique content address. And IPFS's distributed architecture makes it more resilient and reliable than more centralized storage methods.
Businesses can rely on IPFS for serving content to users in a trustworthy fashion. IPFS also enables users to easily publish their own content from their own environments.
While the underlying principles of Web3 make it more secure than Web 2.0 in some respects, like any technology it introduces its share of security risks. Some of the security gaps come from the way Web3 and Web 2.0 architectures interact; others are inherent to how protocols like blockchain and IPFS function. And Web3's reliance on network consensus can make patching these and other flaws a slow process.
Some of the main security risks include:
Most people know not to give personal information out to unverified requesters. And yet, Web3 applications are often reliant on API calls and responses that do not authenticate the ends of the connection.
In theory, Web3 is completely decentralized, and any connected node on the network can interface directly with stored data. In practice, Web3 application front-ends will still need to rely on Web 2.0 technologies that user endpoints can interact with easily. Most Web3 app front-ends use API queries to the Web3 back-end for business logic and data storage.
Currently, many Web3 API queries are not cryptographically signed. This leaves them vulnerable to on-path attacks, data interception, and other attacks — just as the use of unencrypted, unsigned HTTP Web 2.0 apps leaves users vulnerable to data leakage and on-path attacks. In other words, there is often no guarantee that Web3 application data is from the correct source, despite the "implicit trust" concept described above.
Like any code, smart contracts can contain major security flaws that put user data or — as is often the case — funds at risk. A 2019 study identified poorly coded Ethereum smart contracts that put $4 million in Ether at risk. The problem has not improved with time; in December 2021, flawed smart contracts allowed attackers to steal approximately $31 million in digital currency. And in May 2022, a flawed algorithm caused the TerraUSD cryptocurrency to lose about $50 billion in value.
Data on a blockchain can be stored and accessed by any connected node — in contrast to a Web 2.0 model, in which access to databases can be highly restricted. This introduces multiple security and privacy concerns depending on what data is stored. Even if it is anonymized while at rest, research consistently shows that no data is truly anonymous.
The media is rifewithstories of attacks on cryptocurrency or NFT wallets. Most often this occurs through attackers gaining access to users' private keys, or tricking users into handing them over through phishing. In fact, if these private keys are stored locally on a user's device, they are vulnerable to physical theft.
To this point, with cryptocurrency being the main use for DApps and Web3 in general, most attacks have targeted digital currency. But the implications for other applications of Web3 technology could be equally onerous.
Not all of Web3 is built directly on blockchain. Just as the Internet is composed of layers (7 according to the OSI Model) built on top of each other, blockchain has protocols built on top of it. One example is the widespread reliance on "bridges," which are protocols that enable transfers from one blockchain to another.
These protocols can be attacked as well. For example, thieves exploited the Wormhole bridge in February 2022 to steal approximately $320 million in cryptocurrency.
Web3 makes it difficult to issue fixes for security issues once they are identified. Because Web3 is built on decentralized network consensus, any changes have to be approved by the network at large.
This is perhaps the biggest security challenge for Web3. Building completely secure applications is not humanly possible, and the lack of ability to quickly fix flaws increases the impact security flaws can have, since they will be active longer even after discovery.
From user credential theft to cross-site scripting, Web3 front-ends will still have many of the same vulnerabilities as Web 2.0 front-ends, despite the Web3 backend. Code injection, bots, API-based attacks, and other threat vectors can put applications and users at risk.
Widespread usage of Transport Layer Security (TLS) for HTTP requests and responses massively improved security for Web 2.0. Similarly, enforcing encryption and digital signing of API queries and responses for Web3 DApps will be crucial for protecting application data.
At this point, businesses have decades of experience countering Web 2.0 security vulnerabilities. While that does not reduce the seriousness of those vulnerabilities, it does mean that methods have long been available for protecting user accounts, preventing code injection, and stopping cross-site scripting, among other attacks. Web application firewalls (WAFs), bot management, and API security measures close off a wide array of attack vectors for application front-ends.
This was important in Web 2.0 as well, but many (if not most) organizations skip or rush through this step in the name of releasing and iterating quickly. After all, any security flaws in newly released features or products could be fixed in the next version.
But in Web3, it's not that simple. Updates and additions to decentralized apps take far longer than in Web 1.0 and Web 2.0, since they require consensus from the entire decentralized network. The right time to identify security vulnerabilities is in advance, not after the fact. Code auditing doubles in importance in such a scenario.
As businesses explore and start to interact with Web3, they must continue to keep security foremost in mind. Security holes can cripple a business or damage its reputation. And because Web3 applications rely on Web 2.0-style frontends, businesses will need to simultaneously secure against Web 2.0 and Web3 security risks.
Cloudflare helps combat security flaws for organizations in any situation, from on-premise network protection, to organizations migrating to the cloud, to organizations on the cutting edge of new models like Web3. For Web3, Cloudflare can help protect both frontend and backend, while also providing gateways that make it easy to interface with Web3.
Cloudflare manages and secures the connection to Web3 infrastructure so businesses can focus on what matters: building cutting-edge products and needed services for their users.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
How Web3 differs from previous Web technology
How businesses are applying Web3 to their products and operations
The common security risks of Web3
How to mitigate those security risks