F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.