On Improving a Protocol:
Everybody knows it, but nobody wants to admit that HTTP is a completely broken protocol. Anybody in the world can initiate a connection with your web server and request absolutely any file or path that you may or may not have available. If you've run a web site for any amount of time, surely you've seen worm tracks and fake referrers in your logs.
You really can't fix HTTP — it's beyond repair. I'm sick of being told "just ignore malformed requests and broken links". The real solution is to throw out HTTP completely and rewrite it from scratch to keep in mind authentication, authorization, and security.
That might take a while though, so here are some other ideas that will tide us over.
- Require a token micropayment from everyone who requests a page. After you review the request and decide it's legitimate, you can refund the payment.
- Require an authorization step, where any incoming connection immediately receives a challenge. This could be performing a small-but-significant mathematical operation or it could be a manual response step. Anyone who performs this step successfully will be added to a whitelist and never challenged again. Of course, you can add people to the whitelist if you have regular traffic from friends or family.
- Maintain a list of filters that deny requests that conform to certain parameters. Some people prefer to reject requests that are obvious forgeries — requests that match Code Red, for example. Other people are more aggressive, subscribing to services that publish the IP addresses of known bad Internet citizens.
I think it's time we got serious about the Internet.