Defensive Security
Hi frens,
I was invited to speak at d/acc Day at ETHTaipei tomorrow. Here’s my slides and speaker notes, with iA Presenter:
# Defensive Security
#### Denken Chen, independent software developer
I had this app idea last year when I worked as a security consult in the day, and engaged within web3 world in the night.
I found that web3 world has been targeted by spam, scam, fraud website everywhere. While crypto investment could be aggressive and risky, we should learn how to be protective and defensive.
As part of d/acc movement, I decided to share the basic idea of defensive security.
---
## envision
a web browser going through multiple security and trust layers
Web browser has been designed to be fast and easy to use. In our daily web consuming experience, you won't get any warning at all unless there's some website not configuring https correctly. But that's for transmission encryption, not for validating the legitimacy of the website.
---
## why?
because people tend to use search engine or simply "feel" the legitimacy of the website
For example, people may simply browsing the website and think, oh it looks like I’m in the right place. Or, maybe check the domain name.
---
## Which one is scam?
- apple.com
- apple.co
- dropbox.com
- getdropbox.com
- snapshot.org
- snapshot.box
You may see only the first one looks like the correct one, but actually they're all legitimate. Apple uses `apple.co` for short url, `getdropbox.com` was the first domain name of Dropbox, and the Snapshot used to differentiate old and new version with different domain name.
---
### ⇥ going through multiple security and trust layers
So I propose the research and product plan here. In the upcoming ETHGlobal Hackathon, I would like to build a defensive web browser going through multiple layers to see how we could build the trust for the website now, and what we could do in the future. That may include:
---
- whois, domain name lookup
- https certificate, chain of trust
- website, integrity...
- web3 smart contract, code or audit
- web3 wallet
There are so many layers we could look into. I plan to go deep in each layer and see what we could do in the defensive security web browser, and publish my product rationale in articles.
---
Defensive Security
## Rethink Trust Model
So the whole "defensive security" idea isn't just building a security product, but also serves as an opportunity to rethink our trust model on the web.I had this idea for months, still pretty rough and half-baked, but it’s time to go build it.
Your friend,
Denken
Dope