Sir Tim Berners-Lee defends lack of security in WWW

Sir Tim Berners-Lee speaking at IPExpo Europe 2014

Sir Tim Berners-Lee yesterday stated that he had no regrets about not including security in the early specifications for the world wide web.

In a keynote speech at IPExpo Europe at ExCel London, he gave a talk that ranged widely over current and future issues around the web, including some historical context as to how the web was first developed.

A key principle of the early web was that the server and the web browser didn’t need to know anything about each other – where they were located, who owned them or what communications infrastructure might exist between them. “I didn’t have to worry about how the internet worked and the internet didn’t have to worry about what I was doing with it,” he said. “It was because it was decentralised and designed so it didn’t have a central place where you had to go to ask for permission that I could just develop the web without asking permission – and it could just spread.”

Vint Cerf, another internet pioneer, recently said that he regretted that security hadn’t been built into basic internet protocols.

During the question and answer session at the end, I asked him, “Do you regret when setting up the web that security wasn’t built into it from the beginning?”

Berners-Lee replied, saying that had the system been too controlling it might have stifled its early development. “I’ve seen other systems where they tried to be much more draconian, where they said we’re going to set up this massive framework, including security,” he said.

He wanted to keep the specification for the web as simple as possible. HTML and URLs were designed to look like computer code and filenames with which developers at the time were already familiar, and in fact the first specification document was just one sheet of paper.

He suggested that it would have been interesting to think what would have happened if the first public protocol for email had included a requirement that the from address had to be verified, perhaps through a public-key cryptography system. “Then we wouldn’t have spam,” he said, “but then maybe mail wouldn’t have taken off, people would have found it too horribly complicated.”

He conceded that the current situation was difficult. “We do have to fit the stuff retrospectively,” he said. “There is enormous push for HTTPS everywhere, putting in transport layer security everywhere.”

“Some stuff is having to be re-fitted after the fact but I don’t think there could have been any other way. If we had started off the web as something very very – well, it would have been a complicated thing… We could never had thought up all the security threats in advance, all the security. It’s amazing how many loopholes crop up, weaknesses in protocols turn up where you would never imagine, so you have to be constantly revising systems to fix them.”

Another person asked if Berners-Lee had foreseen the dark side of the web, the trade in illegal goods and services?

He replied that the web was simply a medium which could be used for good or bad and in that respect it mirrored humanity. “The web is a vehicle, the web is not there to judge. It’s like a white sheet of paper,” he said. “It would be awful if we had an ethical web where you could only do nice things. It would be like having paper that you could only write cheques on, or something, and couldn’t write nasty thoughts on.

“The media has to be neutral – that’s key. Yes, you will find people using it for nasty things, and you will find people using it for wonderful things. When you look at humanity in general – which is what you see on the web – in general, I’m hopeful. We’re going to make it but it’s going to be tough.”

Leave a Comment

You must be logged in to post a comment.