Columns

The problem is that all of this traffic is essentially anonymous. We don't know where it's come from, where it's going to, what it contains or whether any of it is actually real or not. None of it is authenticated or digitally signed. Maybe it's about time we called a halt, and said that we have to get authenticated.

Unfortunately, this opens a huge can of worms - who do we trust to run the authentication? Ourselves? The UK government? A corporation headquartered in Pennsylvania? Microsoft? Oracle? Your mate next door who's handy with Certificate Services in Server 2003? Doesn't sound so good does it?

Should we enforce SSL everywhere, and actually read the certificates? Well, in the past this approach could have worked, but what about now when vendors like www.trustico.co.uk will happily sell you a do-anything SSL certificate in a few minutes for 27 quid, with far less checking than I'd like.

One thing is certain - tired old software isn't the way forward. And the same applies to tired old protocols and tired old thinking too.