The trouble with the internet is that it’s unreliable, untrusted and insecure. We use some clever add-ons to the Internet Protocol (IP) to address two out of those three problems. But currently there is no widely accepted solution to the internet’s untrustworthiness.

The Transmission Control Protocol (TCP) can be used to make IP reliable and guarantees that if you send some data over the internet you will know that it has been received properly. Likewise, SSL and the closely related TLS encryption protocols can handle the security of data in transit.

But when we click on a link do we actually end up at the site we wanted? And when we get an email is it really from the person we think it’s from? We don’t have a bulletproof protocol for verifying the identity of a web site or of someone sending email, and so we have spam and phishing.

A recent report called Why Phishing Works, by Dr Rachna Dhamija et al, reveals some interesting research suggesting the problem won’t be solved by schooling users. “Neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing,” they wrote.

The researchers also found the overall quality of bogus material makes a difference. “Good phishing web sites fooled 90 percent of participants,” they added.

Many people took more notice of sites’ animations than they did their URL or SSL status. More worryingly, other research indicates that phishers could improve their success rate by using information about victims from social networks to personalise messages.

CA’s vice-president of security, Simon Perry, recently said we need to rethink this type of authentication. He argued that web sites should authenticate themselves to users just as users must authenticate themselves to some sites.

In a similar vein, I came across an interesting software development project called Cake, which attempts to sort out our untrustworthy internet by using public and private key pairs instead of email and web addresses.

Rather than typing URLs or email addresses, people would use public keys as addresses. New key servers could then look up the IP address associated with the public key to gets its related private key, and perhaps check that the sender details are correct.

The idea is sketchy and I’m not sure anyone has found the complete answer to spam or phishers just yet. It seems that at least one new protocol is required.