Ask security pros what they would change about the Internet if they could go back in time knowing what they know now, and most can point to a list of mistakes we could have avoided.
But according to some experts, we're still making the same mistakes today, with the development of the 3D virtual reality metaverse.
Today, most applications of virtual reality are walled gardens, training or simulation worlds run behind corporate firewalls, games, or marketing experiences.
Avatars can't teleport from one to another, and can't send messages or content from one to another, so security is not a priority.
But there are also virtual worlds built on top of open source software, and they do allow avatars to travel, and content to move between worlds. But the developers of these platforms are academics, hobbyists, and volunteers much like the ones who built the early Web -- and, critics say, are similarly disinclined to worry about security.
Take, for example, OpenSimulator, which currently powers more than 300 public worlds and thousands of private ones with a total land area estimated at around 15,000 square kilometers, or just a little bigger than the state of Connecticut. OpenSim allows anyone to easily and cheaply set up a virtual world accessible via the Oculus Rift.
One of those worlds, MOSES, is owned by the U.S. Army, and the lack of built-in security is already creating problems.
"Security is kind of a dry subject," said Douglas Maxwell, science and technology manager at the U.S. Army's Simulation & Training Technology Center. "People really don't care about it unless they're the ones compromised."
For Maxwell, the three biggest issues are authentication, content protection and secure communications.
Today, by default, OpenSim worlds and most other virtual reality environments rely on a user name and password to authenticate local residents. Some require email confirmation before creating accounts. A very small number go beyond that.
But when they allow teleports in and out, they rely on the partner worlds for authentication. In other words, in the connected OpenSim metaverse, authentication devolves to that of the lowest denominator.
This is because virtual worlds originally started out either as gaming platforms, said Maxwell, or social worlds like Linden Lab's Second Life.
"People who are using them for entertainment are fully entitled to pick a pseudonym, to make up any character they want and escape," he said. "But inside the enterprise, identity is critical. In the absence of seeing someone face to face, we need to have an assurance through some sort of accreditation mechanism that that is really me."
Social worlds and gaming worlds based on OpenSim don't care as much about identity, he said.
Sign up for CIO Asia eNewsletters.