I've been writing about how to secure the Internet for almost a decade, including in this InfoWorld position paper (PDF), which gives most of the details. My proposal is this: A new Internet channel must be created to establish pervasive authentication and improved services for identifying the bad guys.
That might seem like a tall order in today's ultramalicious online world, but it can all be readily done using existing protocols and integrate with all legacy systems.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
In the past, many readers have recoiled from the notion of pervasive authentication. An Internet where everyone knows who everyone else is a contentious idea. But those concerns can be addressed by having anonymous and pseudo-anonymous identities, and channels that don't mind those types of identities with less trust assurance.
In all modesty, I think the best part of my solution is a new centralized service that serves as a sort of "DNS for security."
Like DNS, the new security service would be everywhere on the Internet, available for all to us, and mostly invisible behind the scenes. I envision a centralized service that keeps track of all the bad things going on around the Internet and lets everyone else know when badness is confirmed. For example, Microsoft recently confirmed that four brand new computer brands contained malware installed at the factory -- and also discovered a single parent domain, 3322.org, hosting 500 different malware strains across more than 70,000 sub-domains.
Wouldn't it be wonderful if both the computer vendors involved and the 70,000 exploitative sub-domains were immediately announced to the world as "bad actors" so that the rest of us (and our software and computers) could respond appropriately? Much of the anti-malware world knows most of the malicious places and things on the Internet. I believe this sort of information should be freely shared with the entire world, rather than held by particular vendors.
What's needed is a new service that has the simplicity of a DNS query ("one packet sent, one packet received"), which can tell the originator whether or not a particular subject has been previously determined as malicious or not. Some vendors have already built this sort of functionality into their products. But what I'm talking about is a service the works no matter what product, operating system, or device you use.