New .secure Internet Domain On Tap

CowboyRobot writes "A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured. ICANN is expected to sign off on .secure, and for the new TLD to be up and running June or July 2013."

Call me back in a month ...

[Barbara,+not+Barbie]

... when it's hacked.

Re:Call me back in a month ...

[BackwardPawn]

Might as well just name it .hackme

Re:Call me back in a month ...

And it's this type of attitude that will kill it. They're not claiming it to be bulletproof or perfect, only that they're enforcing a number of currently available security protocols that are optional in the general internet, and difficult to figure out if they're actually in use. So if you're on a .secure domain name, it doesn't mean the site is unhackable, but it does mean that you resolved the domain via DNSSEC, and that your connection is over SSL, and that the SSL certificate was reasonably vetted. Unfortunately, this doesn't solve the fundamental problem that understanding network security requires some knowledge, and so some day some site on this TLD will get hacked, and every shitty news organization on the planet will talk about how .secure is worthless, and it will die.

Re:Call me back in a month ...

[Barbara,+not+Barbie]

All this is going to do is encourage a false sense of security - after all, the chain of security is only as strong as the weakest link, and there are plenty of weak links, starting with the end users and their computers.

"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

Re:Call me back in a month ...

[AngryDeuce]

Yeah, but the idiots will think it is an impenetrable shield. All this kind of shit does is encourage risky behavior by instilling a false sense of security when there is none.

Re:Call me back in a month ...

So by that logic, you shouldn't be allowed to advertise anything as "secure" because nothing is 100% secure, but if you call something secure then stupid people will assume it is impenetrable. I mean, the security system on my house doesn't turn it into an impenetrable bunker, but it does increase my security, and no one has a problem with it being referred to as a "security system", so how is this different?

The fundamental problem is that while everyone realizes that there's no such thing as perfect security in the real world, the vast majority of the nontechnical population seems to have this ridiculous assumption that there is such a thing as perfect security on the internet. And to make it worse, they assume that such security requires no effort or knowledge on their part. It gets frustrating that those of us who do understand these concepts are constantly being handcuffed by the people who don't.

Re:Call me back in a month ...

[Tridus]

And we can do all that now without paying ICANN extra fees or creating the illusion that it's "secure" because the address says so. Which is exactly what end users and the media are going to believe.

What we really need to do is rein ICANN in and stop this kind of nonsense.

Re:Call me back in a month ...

[MightyYar]

Who needs to hack it when there is already a secure.ru domain? It's already shady as hell - won't even let you in unless you let it set a javascript cookie.

Re:Call me back in a month ...

[makomk]

Except it doesn't mean that at all, because all those technologies are backwards-compatible. So any client that doesn't know about .secure should quite happily resolve .secure domains without using DNSSEC and connect to them over plain, unencrypted HTTP. In fact, I expect that in practice most clients won't validate DNSSEC because otherwise it'll break access to .secure sites on networks which don't support DNSSEC and their users will complain.

Re:Call me back in a month ...

RTFA, this is one of the TLDs being sold to private corporations. ICANN will not be running .secure, it's being applied for by Artemis Internet Inc.

Re:Call me back in a month ...

Except the DNS servers for this domain will only respond to DNSSEC queries, and the sites will only be hosted over SSL. RTFA.

Re:Call me back in a month ...

What we really need to do is to stop modding retards like you insightful. This isn't a ICANN initiative.

Re:Call me back in a month ...

... or when someone reveals that it's just an elaborate plot to lull you into thinking you're safe by sophisticated black hats wearing monocles.

Re:Call me back in a month ...

[Joce640k]

"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

Even the summary says "vetting process for websites and their operators"...

Re:Call me back in a month ...

[nullchar]

Uh, no. All of these new gTLDs (generic top level domains) will be "sponsored" by ICANN and run by various registries (private corporations or public ones) under an ICANN agreement. The agreements are periodically "refreshed" through ICANN proposals (just like com/net/org/etc are today) where the statutes of the agreements may change.

So in the application for .secure, the applicant puts in whatever rules they want (e.g. for .slashdot, each registrant must list their UUID and have excellent karma) and if ICANN approves it, then the registry operator enforces those rules. Additionally, registrars (the middleman in the ICANN three tiered model of registry, registrar, registrant) must be ICANN accredited, even if they only wish to manage domains under a single TLD.

ICANN runs the root servers (with the US DoC ultimately controlling the root servers) so they can decide how new gTLDs get managed. I agree with the GP of this post, as ICANN is getting crazy with a flood of new TLDs instead of slowly deliberating over a handful of sTLDs (sponsored top level domains) like in the last decade (see .mobi, .pro, .coop, .museum, etc.)

Re:Call me back in a month ...

[Barbara,+not+Barbie]

It's a TLD that's going to be operated by a private for-profit business. They won't be able to do much in the way of an invasive "vetting process", and $$$ talks. Even the Hells Angels knows how to use "pret-noms" (people who lend their names and identities as covers for activities) and "social engineering" (crack, broken bones) to get around it.

Re:Call me back in a month ...

[kermidge]

Enough already with the slew of new gTLDs. ICANN looks to me like the pathetic case of an enfeebled whore scratching for a buck; that, or corporate racketeers.

Re:Call me back in a month ...

[Sigg3.net]

So, by your own admission it should be .sortofsecure or .followingsectrendsof2012..

Secure means secure. You know as I know that these solution fast become obsolete resting pillows for lazy admins.

Why not get .true then? For every politician out there?

Re:Call me back in a month ...

[TheLink]

Didn't the CAs say about the same thing? So why should this end up differently?

In both systems the security is going to be about as crap as the weakest link (crappiest CA/subdomain or reseller).

Re:Call me back in a month ...

[DarwinSurvivor]

I don't know a whole lot about dnssec, but is there anything stopping a DNS man-in-the-middle from allowing non-dnssec queries to look up false IP's for .secure domains. For example, probably 99.9% of users use their ISP's dns server, if one of them started returning non-dnssec-protected results for "mybank.secure", would anything in a mainstream browser throw up a red flag?

Re:Call me back in a month ...

I mean, the security system on my house doesn't turn it into an impenetrable bunker, but it does increase my security, and no one has a problem with it being referred to as a "security system", so how is this different?

The security system on your house doesn't increase your security one iota. Security systems only trigger *after* security has been compromised.

By any Name

[decipher_saint]

An insecure website by any name sucks just as bad...

*This Post Approved by the Council of Approving Things

tl;nt

[X0563511]

(too long, not typing)

Seriously. When every other TLD is two or three characters, they decide to go use a full word? Breaking conventions AND convenience! Whee!

Re:tl;nt

Users don't type in URLs anymore!

Re:tl;nt

[morcego]

Will be interesting to see people using URL shorteners (bitly etc) on .secure domains, and how that will compromise the whole principle of the idea.

Re:tl;nt

[Mr.+Sketch]

When every other TLD is two or three characters, they decide to go use a full word?

Agreed. Why not just .s? Or maybe .sec?

Re:tl;nt

[X0563511]

I see no reason why it should. All that does is set up an HTTP redirect (which if you think about it for more than half a second is pretty much exactly like clicking a link)

Re:tl;nt

[HarrySquatter]

Ignoring .info, .museum, .aero, .arpa, .asia, .coop, .jobs, .mobi, .name, .travel, etc, right? There is no rule that says domains are only 2 or 3 characters despite nerd protestations.

Re:tl;nt

[HarrySquatter]

Agreed with what? A comletely false statement? There are TLDs that have been around for years to over a decade that are more than 3 characters.

Re:tl;nt

[KlomDark]

I think the goats have something to do with avoiding sec...

Re:tl;nt

[morcego]

You only see where you are being redirected to AFTER you click on the link.

The .secure domain is only different because people can just assume it is secure, even before clicking.

There is nothing stopping the current websites from being even more secure than the .secure ones. The principle of the idea is identify.

Re:tl;nt

[Zocalo]

Two or three characters like ".museum" and ".travel", the former of which at least tries to enforce some verification of its domain applicants. It's hardly a new concept, if hardly widely adopted; I've only come a across a handful of ".musuem" sites and can't recall any ".travel" domains, although I'm sure there are some.

What really frustrates is that we keep getting schemes like this that just look to be a pure money grab instead of things that might actually help solve a problem. Where's the accredited applicants only ".bank" gTLD to help prevent phishing of financial institutions, for instance?

Re:tl;nt

[Tridus]

Pretty much everybody else ignores those, so why not?

Re:tl;nt

[makomk]

All the TLDs that are over three characters long have gone almost totally unused for their intended purposes.

Re:tl;nt

[fuzzyfuzzyfungus]

Arguably, in countries where the local country-code TLD isn't considered a deviant slumzone, the end user experience of a 'TLD' is already five characters long.

Architecturally '.co.uk' isn't a TLD, of course; but the intention is more or less identical to '.com'. Adoption does fall off pretty rapidly as you get into the dodgier waters away from .com and .org; but there seems to be a reasonably widespread assumption that country code TLDs can be chopped up into categories in a way that effectively makes a given entity's domain suffix five characters long, in a way that the classic three character TLDs are far less frequently divided.

Re:tl;nt

[rb12345]

All ignored except .arpa, presumably, although that's assuming people bother to set up reverse DNS.

Re:tl;nt

[allo]

yeah, just google "online banking" when you want to use your online-banking.

Re:tl;nt

[allo]

.info is widely used, too. but museum? seriously?

Re:tl;nt

[X0563511]

The .secure domain is only different because people can just assume it is secure, even before clicking.

You are forgetting about SSL? .secure will be mandatory vetted SSL, combined with it's own domain TLD? Eg, that certificate can't be used by a .com, which is not as vetted.

Re:tl;nt

[X0563511]

Have you ever seen those domains used? No? That's my point. Nobody uses them because they are a pain in the ass.

Re:tl;nt

[Barbara,+not+Barbie]

Try this one

It's for a chicken co-op, but it sure sounds and reads more like a chicken coop (hen house)

I'm surprised no conspiracy groups ever registered dis.info or noneofyour.biz

And in a case of the internet imitating life, steve.jobs is offline.

Re:tl;nt

[Guppy06]

Length is irrelevant to a TLD getting ignored. When was the last time you visited a .us domain other than the likes of "delicio.us?"

And that's before getting to all the state-specific subdomains (al.us, ak.us, ar.us, etc.) that aren't even used by the state governments in question.

Re:tl;nt

[eln]

You laugh, but if I hadn't used that method I never would have known that my bank relocated to Russia.

Re:tl;nt

[mbstone]

They could put up tree.museum and charge $1.50.

Re:tl;nt

[Zocalo]

Yes, I have, and said so in the post, along with that the statement that they were not exactly widely used. For what it's worth, I've come across several museums with a site within the ".museum" gTLD since I travel a lot and like to find out something about the local culture while I'm there, for which museums are often a good place to start. I've also come across a couple of ".aero" domains and have an email address at a ".int". All that kind of proves my point though; gTLDs more than three letters are certainly out there and have been, but hardly used.

I don't think that's down to them being a pain in the ass to use because most people are going to use them via a search engine result, email or some other linking method that doesn't involve them typing in the URL, but because of the utter sewer that ".biz" and, to a slightly lesser extent, ".info" became. That, combined with the squabbling over ".xxx" and latest ICANN license to print money scheme, has probably tainted the opinion of most of the people who actually still notice or care about domain names in the first place. If there's a demonstrable need (a high bar, admittedly), or a problem that can be alleviated (i.e. something like my suggestion of ".bank" to help counter phishing) with a new gTLD then I'm all for it. Otherwise, we're just going to end up with another ".biz" or worse.

Re:tl;nt

Real question is will redirects be allowed from the non .secure TLD?

I'm still waiting for 100% physically isolated encrypted network (YES, entirely isolated NEW PHYSICAL NETWORK across the US) that is accessible through post offices only, or Federal Buildings only, and touches no existing infrastructure. Include 100% auditing and full disclosure..... There is a way for such a thing to exist, but nobody wants to pay for it, or at least leave room in for culpability when someone with access, does something wrong. Politicians, and agency and department heads need wiggle room, after all....

Re:tl;nt

[IAmGarethAdams]

Think the prices have gone up since you visited. Amy Grant had to pay 25 bucks

Re:tl;nt

[nullchar]

There are a few .museum domains in use: http://index.museum/fullindex.php

Even more .aero domains in use: http://www.nic.aero/cgi-bin/ad_search.cgi (hit the search without changing the form)

The same for .jobs and .travel who's registry operator verifies the website contents before allowing the nameservers in DNS. (Which is why steve.jobs never resolved anywhere.)

Those > 3 character TLDs seem to adequately fit under their respective namespaces, unlike domain names under generic top level domains (gTLDs), as by nature, they are generic and can have non-profits under .com and for-profit companies under .org and personal blogs under .net.

Re:tl;nt

[thegarbz]

Personally I find typing 4 characters tedious. Instead I just type the domain name and hit Ctrl+Enter.

Combined with shortened URLs purchased by companies, "www.faceboo.com"+Enter, becomes "fb"+Ctrl+Enter

Re:tl;nt

[Barbara,+not+Barbie]

and have an email address at a ".int".

So, with IPv6, will you be changing it to a 128-bit double.double (aka a "tim horton's").

Re:tl;nt

[X0563511]

... and how would it be detected or prevented? You don't seem to understand much of the actual technologies involved, here.

Re:tl;nt

[DarwinSurvivor]

Yes, but unless the user's browser KNOWS that, any rogue DNS server could still potentially redirect them to a fake .secure site.

Re:tl;nt

[X0563511]

Which is why DNSSEC is supposed to be enforced for it, because that stops those kind of shenanigans if people bother to implement it.

Re:tl;nt

[DarwinSurvivor]

And once again, that depends on the user's browser (or what-ever mechanism the browser accesses for DNS information) to enforce DNSSEC.

Re:tl;nt

[Coren22]

How about the last time you saw a .co, and didn't think to yourself it was odd visiting something in Colombia?

CAPTCHA

...for every link within subdomains

ICANN is king of nothing

They can't even deal with malicious registrars, and they expect to enforce SSL on these .secure domains? Get real.

relevant captcha: kidded

Yeah yeah whatever

Recall the ".pro" TLD? Supposed to be for "vetted professionals"? The first .pro I ever encountered turns out to be a crooked outfit. (If you must know, videolan.pro, which impersonates but does not actually have any connection to the real thing.) I have so far never encountered a dot-pro that was actually legit. A lesser used .biz of sorts, but with delusions of grandeur.

So I'll reserve judgement on this one. Not that it isn't a reasonable idea, I've been toying with the notion for a while. It's the execution that matters, and we'll just have to see how that pans out.

Re:Yeah yeah whatever

[wiedzmin]

Recall the ".pro" TLD? Supposed to be for "vetted professionals"? I have so far never encountered a dot-pro that was actually legit.

What's ".pro"?

Re:Yeah yeah whatever

[Em+Adespoton]

We obviously need to pair every .pro domain with a matching .con domain... you know, for balance.

Re:Yeah yeah whatever

[X0563511]

Erm, did you even read what you just quoted? The first sentence defines it.

Re:Yeah yeah whatever

[X0563511]

.con should be a CNAME to .com at the root (.) level :P

Re:Yeah yeah whatever

[wiedzmin]

The point was that I've never heard about it until now. I googled it right after. Useless.

Re:Yeah yeah whatever

[X0563511]

You must not be seeing the AC's whole post. It starts with this, which tells you exactly what it is:

Recall the ".pro" TLD? Supposed to be for "vetted professionals"?

Re:Yeah yeah whatever

[wiedzmin]

Yes, I saw that. What's the point? Am I supposed to trust someone more because he is using a .pro domain, as opposed to a .com domain? IMHO, I would prefer he used a .com domain - that probably means he's been around longer.

Re:Yeah yeah whatever

[X0563511]

I suppose the point was that you weren't supposed to be able to register .pro domains without actually having some means to vette your profession?

I'm not the person to ask.

i was laughing at the headline

[NemoinSpace]

Then I realized it wasn't a joke.
This is so not going to end well.
something almost, but not quite, entirely unlike tubes.

Re:i was laughing at the headline

[The+Mister+Purple]

Tubes with locks on them!

Inevitable security breach aside, this looks like a great way to scam a lot of money out of the Wall Street types who are intimidated by the complexity fax machines.

Re:i was laughing at the headline

Then I realized it wasn't a joke.

Then I read the summary and realised it was. Also coming soon the .not-secure TLD for sites that have no reason to use SSL and the .redundant-due-to-protocol-string TLD to both complete and future-proof the system.

Re:i was laughing at the headline

[The+Mister+Purple]

... complexity of fax machines.

FTFM... sigh.

Re:i was laughing at the headline

[Em+Adespoton]

I've been waiting for the .cdn TLD for some time, to house all content distribution networks, and anyone who wants to pretend they're a CDN.

Re:i was laughing at the headline

And a commercial cdn should have domains like "cdn.company-com.cdn" for good measure.

The search for more money

[MrDiablerie]

Hmm, just a way for domain registrars to make more money? https:/// should be sufficient, browsers already inform you when you have a secure connection.

Re:The search for more money

[Barbara,+not+Barbie]

So they'll implement a new protocol: httpSS - twice as secure ... and you'll use it and like it, OR ELSE!

Of course it's a money grab. So quick - register in.secure and cash in!

Re:The search for more money

[dyingtolive]

Link appears broken.

(don't hit me, I'm joking)

Re:The search for more money

[Aaron+B+Lingwood]

So they'll implement a new protocol: httpSS - twice as secure

You laugh, but...

https://wwws.whitehouse.gov/petitions#!/

https://wwws.safra.com/SafraOfficeBank/

http://wwws.aa.warnerbros.com/journeytothecenteroftheearth2/

https://wwws.loc.gov/readerreg/remote/

Secure browsing has already gone enterprisey with the new WWWS for secure sites

Notice the 3rd link. https:/// is not even configured on this server. Yet we are meant to think it is secure because of the 'wwws'.

.bank

[wiedzmin]

Again, I would rather have them introduce the .bank domain name, that can be registered only by verified banking institutions (they make it cost like $20,000 per year too, to further deter fraud). IMHO that, combined with PCI regulations enforcing the security of sites hosted on such domains, would be infinitely more useful.

Re:.bank

The thing is, people read left to right, and web addresses read inside to out. Try to convince most endusers that http://www.wellsfargo.com.soundslegit1234.ru/onlinebank/enterpasswordhere.html isn't safe.

Even if people do read the URL, they often don't understand it. A .secure TLD just gets buried in the legit-looking stuff on the outside.

Re:.bank

Trying to make something more legitimate based on price only makes it worth more to criminals that want to take advantage. Which means they will then have the money to pay whatever is necessary.

Re:.bank

Pray tell, who decides what is a bank?

SInce this is a national matter, I'd say .bank.us (and .bank.$cc in general) would be a far better approach.

Re:.bank

(they make it cost like $20,000 per year too, to further deter fraud)

Would have to be significantly more, since if a .bank site became considered "guaranteed" secure, I'd imagine dumping 20k into one for fraud would bring in major Return on Investment.

Re:.bank

[X0563511]

with PCI regulations enforcing

BWAHAHAHAHAHA!

If only you knew what an insider knew.

Re:.bank

[thegarbz]

(they make it cost like $20,000 per year too, to further deter fraud).

You clearly don't know much about fraud do you? $20000? That's a single victim's savings right there. The problem is people do fraud not to boost their petty cash but to get rich from crime. If people thought they could only make that little money from fraud then they'd have real jobs instead.

Re:.bank

[wiedzmin]

The thing is, people read left to right, and web addresses read inside to out. Try to convince most endusers that http://www.wellsfargo.com.soundslegit1234.ru/onlinebank/enterpasswordhere.html isn't safe.

Even if people do read the URL, they often don't understand it. A .secure TLD just gets buried in the legit-looking stuff on the outside.

Fair enough, though newer browsers do help somewhat by highlighting the TDL in the address bar in a different color.

Re:.bank

[wiedzmin]

I know that some compliance is better than no compliance at all. Even a poorly enforced PCI control on .bank is better than no control on .secure, no?

Re:.bank

Maybe it's not high enough, but it gets rid of the problem of charging the $10 or whatever domain registration fee to a random stolen credit card, at least. Though, really, trying to make TLDs meaningful seems like a lost cause. And making them meaningful for security just seems like setting up a mess.

Re:.bank

[Patch86]

To be honest, I'd settle for ".bank.uk" (and your local equivalents). Nominet maintains (or allows) a number of second level domains which have policed registration requirements, so one for recognised banking organisations shouldn't be too hard to manage. Exactly what the criteria would be is debatable, but there are plenty of candidates- only FSA-regulated organisations, only organisations with a banking license, etc.

secure://

[GeneralSecretary]

When I first saw this I though, "Oh good, no more explaining to Grandma that you need to check for HTTPS://", but it is a bit to type. Why not replace "https://" with "shttp://" or "secure://"?

Re:secure://

[fuzzyfuzzyfungus]

The stuff before the '://' specifies the protocol. There is no "secure://" protocol, nor does this proposal involve any additions or changes to what currently counts as https, except for actually using them consistently.

Re:secure://

[pahles]

shttp:// sounds like a rather shitty protocol...

Re:secure://

[geekoid]

I like how you have to explain something you clearly don't understand to your grandma.

Re:secure://

[fearlezz]

If that is the whole problem, why not rename the https protocol to "secure"?

I personally don't think it's a bad idea to make secure:// an alias of https://./ The only problem would be that just using https does not tell anything about the connections actual security.

Re:secure://

[X0563511]

The only problem would be that just using https does not tell anything about the connectionsactual security.

Of course not. That's the job of the browser. It's not the protocol's fault the browsers don't do it. The CA break-ins are all political problems really - those who were trusted betrayed that trust in one way or another.

EV certificates?

[diamondmagic]

Isn't this exactly what Extended Verification Certificates were supposed to be for?

Why should I trust some arbitrary party to vet the security of a website by the virtue it's accessible with a particular TLD? I get that TLS shouldn't require any third parties merely to establish a secure pipe, but if you *are* looking for a third party to vet other stuff, like your bank's privacy policy and whatnot, this is exactly what PKI *does* do well, at the protocol level.

Re:EV certificates?

[fuzzyfuzzyfungus]

I'm skeptical of this fancy new domain(for basically the same reasons that I'm skeptical of SSL/TLS once you include the 'identity' problem); but 'EV' certs are a perfect example of how PKI, as presently implemented, does a ghastly job of doing what it is supposed to do. Plain, boring, certificates were originally supposed to be all authoritative and vetted and whatnot. That didn't survive price pressure and laziness, so now we have the new double-secret-verified certificates that make your browser turn green. I suspect that we'll soon have a third tier of genuinely-actually-100%-vetted-trust-us certificates that play soothing background music as well as turn the browser green, for a small additional fee.

Bad idea...

[billlava]

.sec is just a fat finger slip away from .sex, which I can only assume will some day be its own TLD at the rate ICANN is handing them out. Can you imagine accidentally stumbling upon https://discreteaccountants.sex/ ? Hold that thought. I just had an idea for a startup.

Too Long

[Githaron]

If they are going to do this, can they at least shorten it? How about ".sec"?

Re:Too Long

If they are going to do this, can they at least shorten it? How about ".sec"?

Yes - and I'd like to register my domain whcih is all about goats. How do you think that one will work out?

Re:Too Long

[John+Bokma]

letmethinkaboutthatfora.sec....

Re:Too Long

[Jorgensen]

Shortening to ".sec" is not a good idea - on a QWERTY keyboard the C and X keys are next to each other and grandma cannot be trusted to avoid typos...

Re:Too Long

[Githaron]

Shortening to ".sec" is not a good idea - on a QWERTY keyboard the C and X keys are next to each other and grandma cannot be trusted to avoid typos...

I thought the new domain for that stuff was .xxx?

Re:Too Long

[Patch86]

Oh my god, but what if people accidentally mistype that as .ccc? THEY'RE RIGHT THERE NEXT TO EACH OTHER ON THE KEYBOARD!

Re:Too Long

[atisss]

Wait, how do I watch my porn securely? .secure.xxx or .xxx.secure?

Bribes, Corruption, Maneuvering

[greenlead]

So, who maneuvered this one into being, so that one they and their closest friends can approve people for this TLD? Oh, and we should start teaching the uneducated public that *.secure is the only way for a site to be trustworthy, so that those key players can make even more money from certificates that cost nearly nothing to generate.

Re:Bribes, Corruption, Maneuvering

[greenlead]

errr... "one" --> "only".

Hmm, funny...

I THOUGHT THAT WAS THE POINT OF HTTPS?!

This TLD nonsense is just awful, seriously, so awful.

Some dethrone those twats already, they are useless and just destroying the DNS world.
All they want to do is rob people of even more money.
These new TLDs are just an even larger redundancy being tacked on to the internet.

It should have been protocol://ccTLD.domaintype.domain.subdomains/directories/file.ext (and domain type would have been things like museum, hotel, banking, etc)
Quick example: http://uk.search.google.images/?trillion_parameters_here (you can take your little and middle endians and spin on it!)
But they even managed to screw THAT one up! To think these supposed smart people had such insight to have come together to create this glorious network...
Now they are doing useless_protocol_consider_deprecation://subdomains.domain.domain2/directories/file.ext
TLDs don't even exist anymore, pretty much. To even think of them as TLDs is pointless.
GOD.

I'll see you all on usenet or openNIC or whatever else replaces it if (please be when) the web comes crashing down.

Re:Hmm, funny...

[fuzzyfuzzyfungus]

Ironically, your proposal is actually horribly similar to this pointless-loads-of-arbitrary-TLDs nonsense, just in reverse order and with questionably useful ccTLDs prepended.

The 'domaintype' notion is the kicker. It isn't quite as broad as an arbitrary string; but it is very broad indeed, and would be the stuff of endless wrangling(and, since many sites do multiple things, would suffer from similar must-protect-trademark-on-all-possible-domains shenanigans). At some point, you have to give up and accept that(outside of a few, largely sterile, walled gardens that maintain order mostly by virtue of being a direct projection of a real-world organization, like .mil) URLs are either going to be largely meaningless or an unbelievably ungainly apparatus will have to be deployed to hammer out the possible categories of the internet and then force all the TLDs and subdomains into submission.

Clearly they should have used .sucr

[Tekfactory]

I mean there it is, just another plan to extort money, which then gets added to the product, which we pay for and somebody else is chipping off a little bit for themselves.

What could possibly go wrong?

[Arrogant-Bastard]

Given the rousing success of .mail, which immediately succeeded in reducing spam to a...oh...wait...

And then there's .pro, which is used exclusively by millions of professionals and...oh...umm...

Alright, never mind that. Of course it will be secure, because a well-known security company is on the job and...oh...errrrmm... Verisign, Pillar of Internet Security, Hacked...

Doesn't matter. I'm certain it will work perfectly. I mean, really, what blackhat would target a .secure domain? Everyone knows they're secure.

Monumentally stupid idea

[Tridus]

Hack one. Purpose defeated.

ICANN is a menace that needs to be put out of its misery.

sperm.bank

[tepples]

Where's the accredited applicants only ".bank" gTLD to help prevent phishing of financial institutions, for instance?

Not all "banks" are financial. Who would get blood.bank or sperm.bank?

Re:sperm.bank

[Zocalo]

True, there are several other types of "bank", but the one most people think of first is the financial type, and so far at least they are the ones mostly being targetted by phishers, although a 419 email phishing a sperm bank would be an "interesting" read, I'm sure. Still, why not? A bank's a bank, so why not allow "vlads.blood.bank" if you were running a hypothetical ".bank" domain? Or maybe apply ".finance" instead, since not all financial targets of phishing are banks, either; EFTS, building societies and co-ops for instance. (Yes, I know there is already a ".coop" gTLD, but that's just for the birds.)

This can be abused easily enough

http://nigerianfortunes.za/scam.aspx?decoy=www.legitimate.secure

Not that that's a good one, but really. Anyone who understands doesn't need this, and anyone who doesn't, will be easily fooled.

Filtering Evil Bit?

Will this TLD provide a mechanism for filtering out packets with the evil bit set?

IETF

Type-in traffic

[tepples]

Isn't this exactly what Extended Verification Certificates were supposed to be for?

I imagine that it's a TLD for which type-in traffic is intended to go on HTTPS instead of HTTP, and for which browsers can expect DNSSEC and EV certs and fail if not present.

New website

I want to get not.secure, so I can create the domain this.is.not.secure.

someone did not understand DNS

[allo]

of course you can check, if an ip only runs https, when registering the domain. But you cannot check, if the ip accepts http at some point later on ... and even with regular checks, a firewall could allow http for clients and disallow it for the checker-ip.

Also implying https on = secure. then the browser display of 'valid certificate' would just be enough.

Re:someone did not understand DNS

You're missing the point.

Browsers can be set to reject HTTP or even out of spec SSL communications with anything in .secure. Likewise, they can fail to connect if they don't receive a valid, signed DNSSEC response.

The goal of .secure is to create a TLD in which heightened security practices can be enforced by the browser. With no legacy concerns, browsers can enforce certain standards which should have been built into the Internet from the first place.

Consider XSRs. A browser might be configured to block any XSR from a .secure to another TLD or vice versa. XSS, XSRF, and injection of externally hosted malware suddenly becomes impossible.

Re:someone did not understand DNS

[allo]

yeah, and what do browsers do, which are older than the .secure domain? or browsers, which just support normal networking without special rules for .secure? And how should the average User tell, if a browser supports secure or not?

.Secure? From whom?

[CanHasDIY]

Unless it's secured from governments, agents provocateurs, corporate raiders, etc, it's not secure.

These days, it's not just random Slavs looking to jack your CC info you need to keep watch for...

In related news...

[wbr1]

...norton.secure and mcafee.secure found to be hosting ransomware and malware.

Heard this before

[LordLucless]

and a comprehensive vetting process for websites and their operators.

What, like the one required to get a signed SSL cert? Oh wait, I mean the one to get an "Extended Validation" SSL cert.

What's the point?

[Hentes]

When you use a https site you don't need the TLD to tell that it is secure: the protocol name is what's to be counted on.

+1 Great Comment

The fundamental problem is that while everyone realizes that there's no such thing as perfect security in the real world, the vast majority of the nontechnical population seems to have this ridiculous assumption that there is such a thing as perfect security on the internet.

Will it just take time and generations of internet users to change that mentality? Or are we forever doomed by "computers are magic".

Why not just make HTTPS a "default" option

[Kagetsuki]

You know, and f*ing fix the certificate system. Make it so certificates are generated off some sort of DNS record information or something and add that info to the info registrars have. Or something. Buying certificates is almost like blackmail, and even if you do buy one it's not like your cert auth isn't vulnerable to attack or users won't just hit the "add exception" button when they get spoofed.

Oh and as was mentioned above, making a .secure domain is like putting a target on yourself. Good luck with that one.

Re:Why not just make HTTPS a "default" option

Luckily, there actually is work in this direction. DNSSEC authenticated HTTPS is supported in Chrome as of Chrome 14 and is being worked on for Firefox (see also: Wikipedia section on DANE). Of course, it requires DNSSEC and a compatible browser. As browsers get updated slowly, most sites will likely be very conservative about switching over, and those with EV certs never will.

Bad idea.

That would imply that all certificate authorities can be trusted.
For christ sakes, we already have "premium" priced SSL certs that turn the address bar to green.
Secondly, you're suggesting that secure:// should explicitly be defined as HTTP encapsulated in SSL.
HTTP or SSL is not at all future-proof. In some alternate universe, someone could have made gopher:// encapsulated in SSL and called it secure://, but like hell that'll fly here.

Chicken.coop

[tepples]

Yes, I know there is already a ".coop" gTLD, but that's just for the birds.

Yeah, especially the Montana Poultry Growers Cooperative.

Still doesn't guard against lazy programming

[jasonla]

I don't think a new domain will prevent stupid mistakes like this: http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/ In short, Citibank's website was "hacked" by changing the account number in the URL. Account numbers exposed via GET requests.