No, this is not a ‘fundamental flaw in Web security’. It is the result of a group of Cryptobros who didn’t have a clue trying to use a system that is utterly unsuited for what they are trying to use it for.
I have been working on Web Security and payment systems for 30 years. I was part of the original CERN team that developed the Web and Principal Scientist at VeriSign when we created the Web PKI.
For the past five years, all these crypto-currency goons have been running round telling us that we are all stupid, that they will replace the global payment system, that no government can stop them and that their currency systems are invincible.
So please explain how did we ‘Web/1.0’ people whose advice was rejected cause this screw up?
The security goal of the WebPKI CA system, which I wrote by the way, was to make online shopping as secure as bricks and mortar shopping. Nothing more.
The system we built in the 90s would have protected against this attack. Only the Google Chrome team don’t believe authentication is important and so