Slashdot Mirror
New .secure Internet Domain On Tap
CowboyRobot writes "A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured. ICANN is expected to sign off on .secure, and for the new TLD to be up and running June or July 2013."
Might as well just name it .hackme
(too long, not typing)
Seriously. When every other TLD is two or three characters, they decide to go use a full word? Breaking conventions AND convenience! Whee!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Recall the ".pro" TLD? Supposed to be for "vetted professionals"? The first .pro I ever encountered turns out to be a crooked outfit. (If you must know, videolan.pro, which impersonates but does not actually have any connection to the real thing.) I have so far never encountered a dot-pro that was actually legit. A lesser used .biz of sorts, but with delusions of grandeur.
So I'll reserve judgement on this one. Not that it isn't a reasonable idea, I've been toying with the notion for a while. It's the execution that matters, and we'll just have to see how that pans out.
Then I realized it wasn't a joke.
This is so not going to end well.
something almost, but not quite, entirely unlike tubes.
Hmm, just a way for domain registrars to make more money? https:/// should be sufficient, browsers already inform you when you have a secure connection.
And it's this type of attitude that will kill it. They're not claiming it to be bulletproof or perfect, only that they're enforcing a number of currently available security protocols that are optional in the general internet, and difficult to figure out if they're actually in use. So if you're on a .secure domain name, it doesn't mean the site is unhackable, but it does mean that you resolved the domain via DNSSEC, and that your connection is over SSL, and that the SSL certificate was reasonably vetted. Unfortunately, this doesn't solve the fundamental problem that understanding network security requires some knowledge, and so some day some site on this TLD will get hacked, and every shitty news organization on the planet will talk about how .secure is worthless, and it will die.
All this is going to do is encourage a false sense of security - after all, the chain of security is only as strong as the weakest link, and there are plenty of weak links, starting with the end users and their computers.
"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"
Let's call it what it is, Anti-Social Media.
Again, I would rather have them introduce the .bank domain name, that can be registered only by verified banking institutions (they make it cost like $20,000 per year too, to further deter fraud). IMHO that, combined with PCI regulations enforcing the security of sites hosted on such domains, would be infinitely more useful.
Bow before me, for I am root.
.sec is just a fat finger slip away from .sex, which I can only assume will some day be its own TLD at the rate ICANN is handing them out. Can you imagine accidentally stumbling upon https://discreteaccountants.sex/ ?
Hold that thought. I just had an idea for a startup.
Given the rousing success of .mail, which immediately succeeded in reducing spam to a...oh...wait...
.pro, which is used exclusively by millions of professionals and...oh...umm...
.secure domain? Everyone knows they're secure.
And then there's
Alright, never mind that. Of course it will be secure, because a well-known security company is on the job and...oh...errrrmm... Verisign, Pillar of Internet Security, Hacked...
Doesn't matter. I'm certain it will work perfectly. I mean, really, what blackhat would target a
So by that logic, you shouldn't be allowed to advertise anything as "secure" because nothing is 100% secure, but if you call something secure then stupid people will assume it is impenetrable. I mean, the security system on my house doesn't turn it into an impenetrable bunker, but it does increase my security, and no one has a problem with it being referred to as a "security system", so how is this different?
The fundamental problem is that while everyone realizes that there's no such thing as perfect security in the real world, the vast majority of the nontechnical population seems to have this ridiculous assumption that there is such a thing as perfect security on the internet. And to make it worse, they assume that such security requires no effort or knowledge on their part. It gets frustrating that those of us who do understand these concepts are constantly being handcuffed by the people who don't.
And we can do all that now without paying ICANN extra fees or creating the illusion that it's "secure" because the address says so. Which is exactly what end users and the media are going to believe.
What we really need to do is rein ICANN in and stop this kind of nonsense.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
shttp:// sounds like a rather shitty protocol...
Sig?
I'm skeptical of this fancy new domain(for basically the same reasons that I'm skeptical of SSL/TLS once you include the 'identity' problem); but 'EV' certs are a perfect example of how PKI, as presently implemented, does a ghastly job of doing what it is supposed to do. Plain, boring, certificates were originally supposed to be all authoritative and vetted and whatnot. That didn't survive price pressure and laziness, so now we have the new double-secret-verified certificates that make your browser turn green. I suspect that we'll soon have a third tier of genuinely-actually-100%-vetted-trust-us certificates that play soothing background music as well as turn the browser green, for a small additional fee.
Except it doesn't mean that at all, because all those technologies are backwards-compatible. So any client that doesn't know about .secure should quite happily resolve .secure domains without using DNSSEC and connect to them over plain, unencrypted HTTP. In fact, I expect that in practice most clients won't validate DNSSEC because otherwise it'll break access to .secure sites on networks which don't support DNSSEC and their users will complain.
"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"
Even the summary says "vetting process for websites and their operators"...
No sig today...
You know, and f*ing fix the certificate system. Make it so certificates are generated off some sort of DNS record information or something and add that info to the info registrars have. Or something. Buying certificates is almost like blackmail, and even if you do buy one it's not like your cert auth isn't vulnerable to attack or users won't just hit the "add exception" button when they get spoofed.
Oh and as was mentioned above, making a .secure domain is like putting a target on yourself. Good luck with that one.
Didn't the CAs say about the same thing? So why should this end up differently?
In both systems the security is going to be about as crap as the weakest link (crappiest CA/subdomain or reseller).