A pretty fierce debate has broken out on how to do security for Web-applications (REST, WS-*, whatever). I’m gratified that it seems to have started in the comments to S for Simple. The proponents are Gunnar Peterson and Pete Lacey, and what they have to say is interesting. I think Gunnar didn’t do a good enough job of filling in one of the bases of his position, although in private email he sent me a link to a PDF from eBankingSecurity.com which is worth a look. The point is that a significant proportion of Windows PCs are compromised with trojans and keystroke-loggers and other flavors of bad-ware; significant enough that the pretty-decent transport-level security provided by TLS is immaterial. Those of us who are technically-competent and don’t use Windows can feel individually secure, but that doesn’t mean Gunnar doesn’t have a point.