Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure Calls for '.safe' TLD

Posted by CmdrTaco on from the internet-laughs-at-f-secure dept.

Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."

25 of 243 comments (clear)

  1. Maybe its just me.. by mulvane · · Score: 3, Insightful

    But wouldn't something a little more, well, financially sound be better. .safe just makes me think of child protection sites, law enforcement security boards and such. I know .fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a .safe, but for other purposes.

    1. Re:Maybe its just me.. by BDPrime · · Score: 2, Insightful

      The article suggests .bank as well. That could be OK, but what about financial firms that might not consider themselves banks?

    2. Re:Maybe its just me.. by eln · · Score: 3, Insightful

      Or financial sites that studiously avoid calling themselves a bank, even though they clearly are one, in order to avoid being regulated like a bank. Such as Paypal.

      Also, .safe is just asking for trouble. It gives people an even greater false sense of security than they already have about "secure" websites. Might as well just call it .lawsuit-magnet.

  2. As a matter of principle... by rlthomps-1 · · Score: 5, Insightful

    I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of .safe is lost.

    1. Re:As a matter of principle... by epiphani · · Score: 2, Insightful

      What if someone gets some exploit code on one of these sites?

      Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.

      The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.

      --
      .
  3. Not going to help by CastrTroy · · Score: 2, Insightful

    As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in .com, or .ca, or .safe, or .xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. Because you know by dctoastman · · Score: 5, Insightful

    People are infallible and immune from social engineering attacks and there is no way a shady organization would ever get a .safe domain.

    --
    My twitter
    1. Re:Because you know by Anonymous Coward · · Score: 1, Insightful

      Sorry, I used HTML formatting instead of plaintext. Here it is again, and without advantage of extra points for the submission:

      Yes, social engineering seems to work even when the e-mails they get "from their bank" (yeaaaaah...) says:

      "Hello, me is the president of AOL, aiiight! Yo usaz out there shou' know there are some issuez with our website right now. You must go to this link and fill in your credit card number so we can get you back yo numbaz!

      Chill!
      The president of your bank"

      I have seen one of the bank e-mails that people were tricked by. It was a big joke how incompetent it was written. Clearly people don't read them thoroughly and know nothing about the fact that professional e-mails are usually spell-checked and grammar-corrected before sent to thousands of customers.

      I laughed loud at the idiots who actually fell for it (we're not talking about a copy from a Paypal letter that had changed it hyperlinks but rather a text written badly from scratch), very obvious it was a fake e-mail. So immensly obvious :). What's wrong with people? Even more, I wasn't even a customer of their bank but still got the e-mail, so that raised an alert before even reading that text through.

  5. Countdown... by Yoozer · · Score: 5, Insightful

    Count down to the first case where a .safe domain is corrupted because of nepotism, fraud, forgery, what-have-you.

    A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.

    We've all heard how some corporations lose several thousands of records of personal data. What does that .safe TLD mean, in that case?

  6. Great but... by otacon · · Score: 4, Insightful

    People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.

    --
    In a world of acronyms, the words are the real victims.
    1. Re:Great but... by l0b0 · · Score: 3, Insightful

      A lot of people seem to be completely oblivious to URLs. You could use insecure.stayaway.ng/porn without raising suspicion from *pulls out a number* 83% of the population.

  7. How will it protect users from their own idiocy? by 140Mandak262Jamuna · · Score: 4, Insightful
    People respond to phishes and Nigerian scams and give all their usernames and passwords voluntarily without ever touching their banks or the safe domains. How can banks protect against such users? Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters".

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Will this really make a difference? by FredDC · · Score: 3, Insightful

    I don't think so...
     
    There will always be idiots, who will fill in their credit card information at visa.safe.ru!

    --
    09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
  9. Thats all well and good by Anonymous Coward · · Score: 1, Insightful


    until the trojan redirects the DNS which whould nev..... whoops, ahh yeah but wouldnt the SSL certficate give it away you ask ? not if you install your own wildcarded cert which would never hap... whoops

    its not the name thats the problem its educating people on the threat of phishing

  10. Is it useful? by efence · · Score: 4, Insightful

    There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective. Introduction of a new TLD is not a replacement for user education.

  11. Assumptions by hack++slash · · Score: 2, Insightful

    If a .safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a .safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all .safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into .safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.

    --
    To do something right, you often have to roll up your sleeves and get busy.
    1. Re:Assumptions by geekoid · · Score: 2, Insightful

      True, but it would decrease risk, which what security implementation is really about.

      They would need to implement some tough rules for who can register them for it to have a chance of working. Smething I don't think they have the backbone to do.

      All this assumes people actually look at where a link goes before clicking it.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  12. Oh God, Not Again! by user24 · · Score: 2, Insightful

    Are we really going to have to go through every argument why .xxx was a bad idea, replacing "porn" with "safe" and "perverts" with "hackers"

    quick, someone who knows regex copy the most highly modded comments from here, here, here, here and here, and save us!

  13. This is a great idea, I'm sure it'll work by mrwiggly · · Score: 3, Insightful

    click to login to http://mybank.safe/ </a>

  14. Putting a label on something doesn't make it true. by The+Media+Mechanic · · Score: 1, Insightful

    Just because you assign a name or a label to something doesn't make it true. Putting an "Organic" sticker on a vegetable doesn't make it organic. Calling someone a "terrorist" and saying they are making "WMDs" doesn't make it so. There is nothing intrinsic about the TLD .safe that will make it safer than any other TLD. No matter how many times you say it or repeat or how loudly you shout it.

    In a way, labels are a sort of self-fulfilling prophesy. People put labels on things in the hopes that the labels are true. This is why nobody names their child "Loser" or "Stupid". Because what if it becomes true?! Then the parents would blame themselves.

    I think am going to name my children "Nobel" and "Pulitzer".

    --
    I can throw as many stones as I wish; my house is made of transparent aluminum.
  15. .safe will be even more unsafe by IGnatius+T+Foobar · · Score: 2, Insightful

    The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.

    Dumb idea, game over. Next...

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  16. On the face of it... by Ngarrang · · Score: 3, Insightful

    On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.

    We have .gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have .edu for education institutions.

    Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name. .shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect

    There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).

    We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.

    --
    Bearded Dragon
    1. Re:On the face of it... by digitalhermit · · Score: 2, Insightful

      For the most part, I agree with this. It's funny how DNS is starting to look like the original LDAP recommendations on the name hierarchy. LDAP went from an organization based hierarchy to schemas that started looking at lot like the DNS TLDs. And DNS itself may start looking at lot like how LDAP was. As more companies are becoming international, the idea of arbitrary geographical boundaries to information and yes, commerce, seems somewhat quaint.

  17. Not only that... by Pollux · · Score: 4, Insightful

    But it also sounds like an inviting and tempting invitation for hackers to prove that nothing is ".safe"

    What next? Will someone build a ship and claim it's unsinkable? Oh wait...

  18. the answer by CrazyBrett · · Score: 3, Insightful

    A: Create a new TLD!
    Q: (what was the question again?)