Slashdot Mirror
F-Secure Calls for '.safe' TLD
Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."
But wouldn't something a little more, well, financially sound be better. .safe just makes me think of child protection sites, law enforcement security boards and such.
I know .fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a .safe, but for other purposes.
Brought to you by King Canute. Make things happen by simply commanding them to be so!
(yes, I'm well aware that interpretation of the story is incorrect).
I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of .safe is lost.
As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in .com, or .ca, or .safe, or .xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
People are infallible and immune from social engineering attacks and there is no way a shady organization would ever get a .safe domain.
My twitter
Count down to the first case where a .safe domain is corrupted because of nepotism, fraud, forgery, what-have-you.
.safe TLD mean, in that case?
A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.
We've all heard how some corporations lose several thousands of records of personal data. What does that
I don't advise clicking that link.
People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.
In a world of acronyms, the words are the real victims.
At least then we'd know when we our browsers were being attacked. I can imagine Firefox being enhanced to flash the URL bar in red, skull and crossbones icon, etc.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I don't think so...
There will always be idiots, who will fill in their credit card information at visa.safe.ru!
09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
until the trojan redirects the DNS which whould nev..... whoops, ahh yeah but wouldnt the SSL certficate give it away you ask ? not if you install your own wildcarded cert which would never hap... whoops
its not the name thats the problem its educating people on the threat of phishing
"It's true this will mean banks have to pay a premium to be able to use the domain name, [...]
OMG...how much would it cost to verify a financial institution? The domain name costs nearly nothing to maintain, only the checking -
<scarcasm>But then, of course ICANN is interested in the public good...</sarcasm>
hackerkey://v4sw5/7BCHJMPRUY$hw3ln3pr6/7FOP$ck6ma8+9u6L$w4/7CGUXm0l6DLRi82NCe3+9t5Sb7HMOPRen5a17s0DSr1/2p-3.62/-5.23g3/5
There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective. Introduction of a new TLD is not a replacement for user education.
If a .safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a .safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all .safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into .safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.
To do something right, you often have to roll up your sleeves and get busy.
Let us create a separate domain for phish hosts! All phishing sites must clearly identify them as phishing sites to get a chance to be listed in that domain. Of course, compliance is voluntary. It makes as much sense as the safe domain for the banks.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
This sounds a whole lot like RFC #3514 to me, except on a higher level, which makes the idea at least four years old.
Even as you read this, your pants are strangling your loins! Aaa!
Domain names are to easy to fake. That's all. Perhaps a better name system?
..I mean, after all;
isit.safe
? =]
insert favourite "I'm probably gonna get modded down for this" -string here.A horse can't be sick, you know, even if he wants to.
But surely, to the inexperienced, anything can look "safe" e.g. www.urbank.safe. As others have already suggested above, it's better to educate than attempt structural changes to protect the naive.
... I don't think it will work, at least not how they think.
Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.
If the truly want a serious attempt at this, maybe they fly someone to the institution to talk to the CEO?
The Kruger Dunning explains most post on
SURELY people have noticed that the current domains do this PERFECTLY! After all... everyone KNOWS that .org websites are ONLY organizations. And .com is ONLY commercial sites. Why, having a .safe is completely unneeded, as scammers are clearly not known organizations, and thusly could NEVER own a .org site, so therefore they must all be safe as is.
It is not the same thing. This proposal calls for whitelisting. In contrast the joke required that bad people blacklist themselves.
d itorials/dumb/
.endworldhunger
Enumerating badness is a bad idea from a security point of view:
http://www.ranum.com/security/computer_security/e
Enumerating goodness might work, but raises many issues. Who does it, based on what criteria and how are the criteria enforced?
Why do people keep demanding the DNS to solve all the problems in the world? It's just an address book, not the solution to world hunger. Oh, maybe that is the next TLD proposal:
This is stupid, DNS is not a trustworthy system. SSL certs are used to verify a websites identity.
All this basically says is that F-Secure are idiots.
Are we really going to have to go through every argument why .xxx was a bad idea, replacing "porn" with "safe" and "perverts" with "hackers"
quick, someone who knows regex copy the most highly modded comments from here, here, here, here and here, and save us!
Thats about as brilliant as .xxx domains....
.idiot domain too?
can we get a
click to login to http://mybank.safe/ </a>
Just because you assign a name or a label to something doesn't make it true. Putting an "Organic" sticker on a vegetable doesn't make it organic. Calling someone a "terrorist" and saying they are making "WMDs" doesn't make it so. There is nothing intrinsic about the TLD .safe that will make it safer than any other TLD. No matter how many times you say it or repeat or how loudly you shout it.
In a way, labels are a sort of self-fulfilling prophesy. People put labels on things in the hopes that the labels are true. This is why nobody names their child "Loser" or "Stupid". Because what if it becomes true?! Then the parents would blame themselves.
I think am going to name my children "Nobel" and "Pulitzer".
I can throw as many stones as I wish; my house is made of transparent aluminum.
The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?
No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ and http://www.paypal.com.scammer.cn/ or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.
a .SAFE TLD won't make the sites any more safe, and will make them less safe, because people who don't know better will just assume that, because it's a .safe domain, it MUST be safe, otherwise it wouldn't be a .safe site, so they just go on entering all their private personal data into some bogus site.
.SAFE won't make things more safe, it will make them less, because <SPACEBALLS> Evil will always win, because Good is Dumb </SPACEBALLS>.
This space for rent. Call 1-800-STEAK4U
The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.
Dumb idea, game over. Next...
Tired of FB/Google censorship? Visit UNCENSORED!
This won't solve a thing. It is trivial to fake headers; apparently the author did not do his homework. I could easily set up a spam spew to send phishing email from say, www.bankofamerica.safe or the like. A better, more practical solution is to use email signing like OpenPGP or GNUPGP. This is much, much harder to fake. See the Wikipedia article subsection Security quality. Bank customers simply obtain the PGP public key from the bank's website and use it to validate any email received. This will put the phishers to bed (at least for a long while) as it will be virtually impossible to fake the PGP signature. The next thing you do is educate the public about email signing and verification. It is not terribly difficult to use and deploy as there are freely available PGP plugins for popular email clients. GPG4Win is a complete installer that contains plugins for Mozilla Thunderbird, Outlook 2003, and Outlook Express. Read about it at http://www.gpg4win.org/.
On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.
.gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have .edu for education institutions.
.shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect
We have
Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name.
There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).
We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.
Bearded Dragon
But it also sounds like an inviting and tempting invitation for hackers to prove that nothing is ".safe"
What next? Will someone build a ship and claim it's unsinkable? Oh wait...
A TLD doesn't make a site safe! .safe should only be allowed to sites that doesn't run M$ products =)
Is this supposed to work via some kind of sympathetic magic?
I've already got the calls saying "But it said I won a free Ipod." (despite the fact they didn't know what it was but thought it would make a good Christmas present) If they are that trusting of a random pop-up, imagine how easy it would be for anyone with a .safe name to rip them off. I'd have to say think of the grandparents on this one and call it a bad idea. BTW, if you disagree with me, you hate the elderly.
How about we force everyone to have a .unsafe TLD, so it would be microsoft.com.unsafe, google.com.unsafe
It would reinforce the idea that !!!NOTHING IS SAFE ONLINE!!!
I mean, how loud do we have to shout it before people finally get it?!
Let's try it a few more times:
HEY USERS!
NOTHING IS SAFE!
PEOPLE ARE EVIl!
THE INTERNET IS A BAD PLACE!
NOTHING IS SAFE ONLINE!
NOTHING!!!!! NOT EVEN PAYPAL!!!!
NOTHING IS SAFE ONLINE!
LISTEN!
NOTHING IS SAFE ONLINE!
c'mon guys, chant with me, perhaps they'll realise if we all chant together
NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!
damn, it's not working.
I guess people will always be stupid, no matter how many clever people try to stop them.
or just .stupididea
S-s-s-s A-a-a-a F-f-f-f E-e-e-e D-d-d-d O-o-o-o M-m-m-m A-a-a-a I-i-i-i N-n-n-n
Safe, domain!
We can register if we want to
We can leave your sites behind
'Cause your sites don't register and if they don't register
Well they're no sites of mine
I say, we can surf where we want to
A place where hackers will never find
And we can act like ICANN come from out of this world
Leave the COM domain far behind
And we can register...
workaround in 3...
. php/
2...
1...
http://secure.transaction-bankone.net/status.safe
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
i wish to register un.safe!
Did we just not have a whole debacle (thrice!) over the ICANN rejecting the .xxx domain because they're "not in the business of content regulation?" I seem to remember a flurry of articles on Slashdot about this. Isn't allowing only banks and other "official" entities to use the .safe domain put the ICANN in exactly the same "business?" The only difference here is they're replacing porn sites with banks.
Surely if the authorities had kept to the rules -- .com etc for America -- we'd already have a .terror tld.
-1 not first post
In that case, I want to apply for several for my new bank, the
'TerriblySafe Bank of Switzerland, Inc'
Signed,
I M NottaHacker
P.O. Box 419
Lagos
and there's a lot more where that came from!
A: Create a new TLD!
Q: (what was the question again?)
This reminds me of the stupid radio ads for the .tv domain in the late 90's. "A .tv address means your site has the latest in exciting media technology" or some such bull. No it doesn't, it means you registered your domain name in Tuvalu!
They say the mind is the first thing to
Do most people here forget that there's a thing called a safe in most physical banks? You know, the place where they hold the money, the thing the crooks try to crack into?
.xxx domain or other blacklist approaches?) or there's a lot of funny going on in this topic that no one is picking up on.
.vault or .yourmoneygoeshere or .weholdyourmoney would be a lot clearer? Can we also get a .mattress mirror to entice people from the US depression era to use the 'net?
Everyone is either taking this way out of context (why should this be used to whitelist sites instead of the
Maybe
Insert Sig Here
My parents gave me the name Anonymous - It never did me any harm.
Mr. A Coward
http://goatse.safe/
which should really be http://goatse.braceyourself/
Task Mangler
Ok who can argue with this? NO, this will not stop poor application coding, XSS, SQL injection, browser bugs, etc. However, it will go a long way for someone to have a pretty good idea as to whether or not the website they are visiting is in fact that of a valid financial institution. NO it won't stop every moron from clicking a link that goes to www.sfk24ksf.cn/sexygirl44/bank.html, but what could stop those people? If everyone is trained that sites with ".bank" are valid/vetted banking sites, then there's a much higher chance they will specifically look for this. Much the same as a ".gov" domains.
Say what you want but this is a decent idea. Most of the above posts are just bizarre scenarios and mostly dismissive without real cause.
..for a .3lawssafe tld? We all know what happened there.
Go ahead! Trust us!
I know the whole point of DNS is that it's hierarchical. But with all these suggestions like ".safe for financial institutions, .xxx for porn" combined with countries with "desirable" ccTLDs selling domains (Don't get me wrong, it's their domain space and they can do what they wish. But I never knew so many English-language television companies were based out of Tuvalu), there seems little point in having a TLD-based hierarchy at all.
You may as well allow any organisation to register anything as a TLD. TBH, I think the only reason that hasn't been allowed is because the domain typo-squatting problem would be even sillier than it is today, placing a much higher level of stress on the top-level DNS servers.
They want you to have that warm fuzzy feeling knowing that everything is alright with the world as they siphon the money from your accounts.
Deleted
F-Secure have a particular knack for the headline grabbing initiative don't they now? They spent considerable time and effort a few years ago warning us of the virus epidemic that would engulf mobile phones. To date we've still only seen one proof of concept virus, and that required the user to physically install it.
Meanwhile their security software is insecure: http://www.heise-security.co.uk/news/87063 - leaving a buffer overflow in your flagship security suite is a tad dumb.
F-Secure press releases should be regarded as denial of service attacks as they stop the flow of sensible information about security.
'nuff said.
Yesterday was the time to do it right. Are we having a REVOLUTION yet?
I'd make it very hard to get a domain there, and require a big wodge of money to be deposited as a security.
It's all very well to say "But users should be ultra-alert at all times, check the IP address of the website they've gone to, close all of their curtains before typing in their password and wear a tinfoil hat before thinking of their mother's maiden name." but it's not actually very useful in the real world.
Users suck - we need to design systems to ameliorate their suckiness, not demand changes in human nature.
My Journal
Hasn't it already been solved by trusted CA-signed SSL certificates? If I go to https:///.com and warning message pops up, it would rise certain suspicions. Perhaps browsers (I mean IE) need to show more clearly than just a padlock icon that the current website is secure and has been authenticated by a trusted authority, and users need to be more aware that all financial operations must be done only on SSL-enabled websites.
Any security mechanism that relies on a consumer is inherently a bad idea. They don't perform their role. Want proof? Read http://usablesecurity.org/emperor/emperor.pdf
From reading the headline, I thought this was the converse of a .xxx domain, which actually might not be such a bad idea. Rather than try to decide what should and should not go into a .xxx domain and have to worry about censorship, you use the .safe domain voluntarily for kid stuff and offer parents/schools software to restrict kid browsing. And it would hopefully limit the will-somebody-please-think-of-the-children complaints. There would be little danger of censorship since it would be difficult to justify limiting adults to using it.
...
I'm sure it's not a new idea, and perhaps I'm missing some of its pitfalls
Imposing Libertarian views on everyone online since 1992.
In other news, I call for a '.stupid' domain.
# cat
Damn, my RAM is full of llamas.
How are they going to get people to read all the way to the end of a domain name?
Subdomain names make a joke out of this idea of a ".safe" TLD.
Cassandra:
( greek character cursed to see the future but have noone believe her)
Clever:
It is one type of clever to see that the world is different from the one other folks are acting towards.
It is another to understand why they are acting as they do. Sometimes it is actually, ignorance, but not as often as we often suspect. Rarely is it stupidity.
Incompetence, for example, has more to do with considering the appearence of action more important than the consequences.
Social or even contractual forces can mean that while something might be clearly very unsafe, to act otherwise would be to implicitly accuse someone else of being incorrect. This is very hard for some people.
It is completely different kind of clever, to be able to convince folks of stuff - presumably after having the identified actual propblems, and some real reasons the folks had for overlooking them.
Risk:
Analysing risk is something humans do amazingly, shockingly, poorly. Even without the bizarre political portrayals shown in the news media we (humans) cannot think about risk clearly. Without studying gambling in depth, it is extremely hard for folks to decide on actions when 'playing' - even when the odds are known and the results openly available.
Bruce Schneier, as usual, has an insightful rant^Hessay on the topic, The Psychology of Security: http://www.schneier.com/essay-155.html
Chanting:
Lastly, just let me imagine how you would respond if someone repeated 'Nothing is safe online!' several times at you. You might think: 'But, I thought that already - why are they repeating it rather than explaining, expanding... now I am sceptical - what are they selling? Now I need to re-check my previous assumption that the internet was unsafe, and figure out exactly where, how badly and even 'if' the internet is unsafe.'
Personally, repetition freaks me out. I almost get a panic response. I can't watch TV, listen to the radio, or play WoW without risking intense stress. I have noticed that most folks are not affeected this way, however. they will eventually find it irritating, but not as quickly as I would hope... and what's more, in the meantime they are slightly hypnotized - often coming away with the words and idea still spinning in thier heads. This is normal folks in regular situations, not brain-damaged, stoned, tired, stressed or otherwise overly impaired humans - ie: not the ones we usually call stupid.
Most of the phishing scams I have seen use either the IP address or the domain of the phishing webpage itself. Having the banks use .safe would be as effective as having banks not use their IP addresses, .nl, .kr, .ru, and a few other domains that phishers use. People already give away their information to totally bogus addresses, so how does using .safe make one iota of difference?
Ironically, this is *exactly* what secure certificates were supposed to do, remember? Prove who you are to verisign and they'll give you a certificate so that anybody who comes to your site can see that verisign has verified that it's you.
Such a system will serve *only* to enrich whoever is the verifier.
Period.
Do you have ESP?
...I haven't tried yet, I mean, we already tried the locker combination.
Then there's the girls who wear t-shirts that say "Cutie". If you really are a "cutie", you don't have to wear a label to tell us that you are. It therfore follows that the people who wear those shirts are roughly as "cute" as politicians are trustworthy.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
...will work out just great
Unlike most special purpose new TLD proposals, this isn't immediately and obviously blatantly stupid.
However, it may introduce a false sense of security when faced with a server compromise, client-side spoofing (URL bar replacement, etc) or client compromise (hooray for spyware!).
Nonetheless, this is about 1/0 times smarter than the .xxx TLD, the problems with which were astounding given the proposed "benefits" of it.
Kind of like these people:
.safe domain will give scammers and idiots more ammo and less reason to actually care about security.
http://finalizetoday.com/secureapp.html
Notice how they call their form "secureapp.html" in order to give someone a false sense of security so they can go ahead and fill out the form with their social security number. Then submit it to an unencrypted action.
A
Because you just know that www.mybank.safe.ru isn't going to fool ANYONE because after all is SAYS "safe" in the URL! Wait, did I just contradict myself? This internet is hard.
This is about as good an idea as RFC 3514 describing the Evil Bit. Like 3514, it'll essentially guard you against unwitting interaction with the people you don't have to worry about unwitting interactions with. The bad guys will, of course, ignore the rules and hijack .safe names to host decidedly unsafe content. But we knew this.
Don't you just love homonyms?
/. geeks are getting this confused, I can see how the average banking customer would be misled. How about a .bank, .money, or .finance TLD? We already have .travel and .mobi.
http://en.wikipedia.org/wiki/Safe
NOT
http://en.wikipedia.org/wiki/Safety
If
IMHO, there should be a much more defined domain hierarchy, like the way dmoz is structured.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Will United Nations have one too?
Say, UN.safe
Carbon based humanoid in training.
The only purposes that can be served by creating additional top level domains is to increase revenue for registrars.
If you mod me down, I shall become more powerful than you could possibly imagine.
My concern with a .safe domain is that casual users can be further lured into a false sense of security. Phishers are all too clever at masquerading as legitimate enterprises and they will be all too happy to prominantly display links that appear to lead to a .safe domain when in actuality the underlying link routes to a disreputable offshore domain for information harvesting.
They should just go ahead and request the .stupid TLD while they're at it...
Yes Francis, the world has gone crazy.
Yes, lets make this, then charge arseloads of money for a meaningless cert so that it can be just like a Verisign/et al SSL cert - all you need is money and the average joe that only knows to look for the "safety lock/https" - making "http://please_hijack_my_machine.safe" just as reputable as Bank of America.
.gov or .mil is restricted, because how do you prove that the small-time bank isn't legitimate? You'd instantly have a load of bankers suing ICANN for what would effectively be state-sponsored anti-competitive business practices - "Oh, you can't cough it up? Sorry, you're no longer as respectable as you were before..."
And you'd have a bitch of a time restricting it to legitimate banks such as only companies such as Bank of America, etc in the manner of how
What happens when you get a poisoned DNS cache? When something .unsafe modifies your hosts file? When the TLD's DNS is hacked?
As long as you've got a human coming up with ideas to screw you over, you need a human to realize that someone is trying to screw you over.
--<Mike>--
Short for "financial". It's perfect.
i.e. .bank or .law? .safe is too general. The argument is somewhat ok considering admission into the .safe domain would require some form of intensive registration (i.e. extensive interviews, tour of brick and mortar facilities.). It's sort of like the .kids domain /.ers were pitching around in response to .xxx
On the other hand, don't we already have Verisign and Thawte giving secure certificates?
Not safe as in free from danger or harm, but it is safe as in a secure metal box. Were talking about banks here.
Of course, it is still a useless idea of having a "safe" TLD.
Well, almost as stupid as
set alias rm='rm -i'
(But not quite)
What better way to almost ensure that your site gets hacked than by using a .safe domain. Why not just call it .un.hackable? I can just read the first headline "So... you think you're .safe?"
this would of course never work all those discombobulated URLs would say .safe but would stilllead to the same pain. also define financial institution.... I bet all of a sudden it's a different costly regulatory environment in some obscure pacific island when you want to become one to the environment that prevails in the city of London.
on the other hand the .xxx tld was a fantastic idea, you would absolutley know what you were looking at as the naughtiness is opt in not opt out, I bet within weeks any none .xxx domain woudl see traffic dwindle, apart from those sites that couldn't get a .xxx tld so catching the really evil sites would be much easier.
Just naming something safe will not make it safe. Also this could give the clueless masses the illusion that the site IS safe at all times, when infact the site is just as secure without it, or just as insecure as it is with it.
Worthless idea, and I hope it gets shot down.
TruePunk | Games
I mean, there are only so many companies interested...
schwab.safe
proway.safe
phoenix.safe
fireking.safe
sentry.safe
Maybe a two dozen max?
Atheism is a non-prophet organisation
Corrupt ICANN and the authorities have always known the answer for authenticating registered trademarks e.g. barclays.bank.uk.reg
;)
So user could enter this URL directly or barclays.co.uk could be redirected to this as certificate of authentication.
Obviously, this would work for all other trademarks in other goods or service (called classification) e.g. apple.computer.us.reg
Please visit http://wipo.org.uk/ - not connected with the crooks at UN's WIPO.org
Smells like just another way for the registrars to sell you your domain name all over again.
Have gnu, will travel.
1. Buy sex.safe
2. ???
3. Profit
Finally an end to Internet scams!
In seriousness, there might be some helpful conventions or standards that could be adopted, but a top-level domain is purely cosmetic. Plus if you think of banks as 'trustworthy'....
Industries with special needs should band together and set up their own CA with membership monitored by their own trade group or (in the case of regulated industries) the appropriate regulator. I'd feel a lot better about a web page or e-mail from my stock broker if it was signed by a certificate tracable to the SEC or NYSE than to trust the same outfit who issues p0rn domains to hand out .safe names.
Have gnu, will travel.
My bank gave me a small calculator-like thingy. I insert my bankcard, enter the challenge shown on the website and my PIN, and it shows me a response. I can enter the response in www.nigerianscam.biz, and still be safe.
10 ?"Hello World" life was simple then
Once upon a time, domains were safe. You would not be able to get a .com second-level domain unless you were a legitimate commercial business in the USA. And you would not be able to get a .org domain unless you were a legitimate organization in the USA. This ended when Network Solutions (now Verisign) got to manage those TLD's and they got to charge for second-level domains. Network Solutions chose not to enforce those restrictions. After that everyone was able to register a second-level domain in .com, .org and .net. This maximized Network Solution's revenue. But the internet got to live with things like domain-hoarding and phishing.
.biz with the intention that only legitimate commercial entities were allowed there. And once again, the manager of the TLD decided not to enforce those restrictions. I guess more domains means more money for the registry. The .biz TLD never took off anyway.
A decade later, ICANN created
I see by the article that several chinese ISP's were asked to take down phishing sites, but refused.
...
To me that's the time to apply the internt death penalty, where the root dns servers refuse to give out the addresses of the offending domains.
We did it to korea a couple of times, with temporarily mixed results, but IMO the takedown (I think it was only 3 days) wasn't of sufficient duration to really get their attention.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Message from Our Sponsor on ttyTV at 13:58
Without better certification standards, it won't help.
The SSL certificate industry has created something of a mess. In the beginning, it was reasonably hard to get an SSL certificate; you actually had to demonstrate business existence. Standards have since declined considerably.
We've been doing some automatic SSL certificate checking, and we keep finding dirty laundry. State name instead of ZIP code in the "postal code" field. Even incorrect corporate registration numbers in "extended validation" certificates. And this is in certificates where the information has supposedly been validated by the issuer. One major certificate issuer, asked about this, replied "That's what the customer put there", which gives a hint as to the amount of "checking" going on.
"Domain only" certificates, with no business address, have essentially no value. They shouldn't even turn on the lock icon in browsers.
"Extended validation" certificates actually have what ought to be a decent validation system, but they're incredibly overpriced. $1000 per year is overpriced, considering that all they're doing is validating corporate identity.
It's not that hard to do this right. The way it should work is that, when someone signs up for a SSL certificate of any kind, they have to give the business identity of the business. That's looked up in the appropriate government records, and a passcode is sent by mail to the address associated with the business. For a corporation, the address for service of process is used, which gets it to the company's attorneys. Issuance of the SSL certificate should only happen once that passcode has been entered. This is cheap to do. You need a physical mailing operation, but that can be outsourced easily to any major direct mail firm. For Extended Validation certificates, use FedEx or registered mail, so delivery confirmation comes back.
In fact, domain registration should work like that. When you register a domain, you should get postal mail back with an authorization code, and the domain doesn't go into DNS until that authorization code is input. If you're in a hurry, you can pay extra and get the authorization code sent by FedEx Overnight. This should add about $3 to the cost of registering a domain, and the Whois data would get much better.
If we can get the certificate mess under control, the next step is something in the browser's user interface that prevents putting a credit card number, recognized by its format, into a form field unless the page is secure. That might be worth putting in Firefox.
Meanwhile, over at SiteTruth, we're trying to attack this problem via search rating: lack of valid business identity + selling something = low ranking. We're still at the proof of concept stage, but it looks promising.
"Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters"."
It is, because just a simple username and password for something like banking is like putting things in a safe and leave the key on the hook next to it.
You need at least two way authentication, using a secure token, SMS feedback, a list of secure numbers etc. All these have been used by the Dutch banking industry and afaik NO bank has ever relied just on username password. All do two factor transaction based authentication.
I am not saying that this will fend of all attacks but most attacks from bogus sites will definately be stopped. Anyway, what's the difference between e.g. a bogus site and a DNS-attack? How can *you* be sure that you are talking to your bank? Believe me, just relying on the certificate may not be enough.
How about a: .spam domain for spammers .squat domain for domain squatters .spybots domain for RIAA and MPAA searchbots .pr0n for sex sites (Congress won't realize what it is so won't ban it like .xxx) .massmedia for press releases and interviews with spin doctors .monopoly domain for ICANN and VeriSign
Maybe we should add a .lame while we're at it.
Slashdot = -1 Redundant, Asperger, kdawson FUD, Libertarian, and Linux
nothing on the net is truly secure... maybe creating auditable standards for online money handlers and then giving those that demonstrably meet those standards a .safe designation is not a bad idea.
.safe does not meet my standards for such a program.
yes, they will get more black hat attention because of the extension... but if they are hacked you revisit the auditable standards and identify where they failed, or if it was the implementation that failed, etc...
either way, i am sick and tired of not knowing what security standards online businesses hold themselves to. voluntary participation in a certification system would go a long way to making me more receptive to the online exchange of my money.
that being said, the current thinking behind
regards
You are describing something similar to Extended Validation SSL Certs. Extended Validation certs are actually better since they are built on an existing infrastructure, use public-key crypto, and there's no single point of failure hosting a list of secure sites.
Of course, since Verisign is involved, the plan is probably doomed.
Just you wait... the United Nations will beat you to it.
Ha HAH! Irony!
I'd just like to see honesty in TLD's. Where's the .con and .irk sites?
This post © Copyrite Duggeek, all rights reversed.
I can enter the response in www.nigerianscam.biz, and still be safe.
can't they request the challange from the real site, give it to you, get your response and then feed your response back to the real site?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
When are these folks going to learn that ".safest" = disconnected ?
.safe domain. Then they start blocking access from .coms. .nets.
Ok, fine, they create a
And
And their customer base...
How is "remember that .safe is safe to go use!" able to instill a sense of security that "if it doesn't say https://your/ bank].tld, call your bank to make sure".
I admit that the .safe name invites skeptical reactions but the idea of having a TLD for which you have to pony up credentials to be a part of is not a bad a idea. We do something similar for SSL certificates thought the protection has become somewhat diluted. It won't solve phishing all on its own but having a secure point of reference for web sites would be a good start and really a pre-requisite for a total solution to phishing.
Frankly I am surprised that slashdoters have poo pooed this ideas. Then again maybe I am just naive.
Notice the date on the original article: http://www.f-secure.com/f-secure/pressroom/news/fs _news_20070329_1_eng.html
Could this be perhaps an April Fool's press release that just got released a few days early so the date did not scream "April 1, 2007"?
...so I could use the subdomain better.sorry.than.safe.
.sorry TLD? That'd give me a better URL. Well, I might as well just buy an AOL keyword.
How about a
...but as Americans, we wish to feel safe and protected, and are willing to give up whatever rights we still have that haven't already been converted into priveleges.
Oops, that's old news, could have been written at the close of the 18th Century, or again during the 1920's Red Scare, or again during the Cold War, when the terrorists were the good guys.
I am strongly against this. We do not want the Internet domain naming group deciding which organizations are allowed (approved?) to manage financial resources. If not them, them who? As it stands now, each governement in local areas makes this decision, and that is just fine.
Some things do not need a single global ruleset, and financial resource management is one.