The World Wide Web originally provided no security services because it was not designed to support sensitive applications. As the Web evolved to become a platform for all types of Internet applications security mechanisms were added. Many Internet players, especially in the e-commerce sector, claim that the Web now can provide adequate security protection. In this paper we analyses some aspects of Web security, and our conclusion is that despite strong cryptographic mechanisms standard Web security solutions can only provide casual protection. We also conclude that major design changes needs to be introduced in order to strengthen Web security.
Audun Jøsang, Peter M. Møllerud, Edd