Forgot your password?
typodupeerror
Security The Internet IT

New .secure Internet Domain On Tap 129

Posted by Soulskill
from the it-says-so-right-in-the-url dept.
CowboyRobot writes "A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured. ICANN is expected to sign off on .secure, and for the new TLD to be up and running June or July 2013."
This discussion has been archived. No new comments can be posted.

New .secure Internet Domain On Tap

Comments Filter:
  • ... when it's hacked.
    • by BackwardPawn (1356049) on Friday May 11, 2012 @04:13PM (#39972177)
      Might as well just name it .hackme
      • All this is going to do is encourage a false sense of security - after all, the chain of security is only as strong as the weakest link, and there are plenty of weak links, starting with the end users and their computers.

        "But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

        • by Joce640k (829181)

          "But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

          Even the summary says "vetting process for websites and their operators"...

          • It's a TLD that's going to be operated by a private for-profit business. They won't be able to do much in the way of an invasive "vetting process", and $$$ talks. Even the Hells Angels knows how to use "pret-noms" (people who lend their names and identities as covers for activities) and "social engineering" (crack, broken bones) to get around it.

          • by TheLink (130905)
            Didn't the CAs say about the same thing? So why should this end up differently?

            In both systems the security is going to be about as crap as the weakest link (crappiest CA/subdomain or reseller).
    • by Anonymous Coward on Friday May 11, 2012 @04:20PM (#39972317)

      And it's this type of attitude that will kill it. They're not claiming it to be bulletproof or perfect, only that they're enforcing a number of currently available security protocols that are optional in the general internet, and difficult to figure out if they're actually in use. So if you're on a .secure domain name, it doesn't mean the site is unhackable, but it does mean that you resolved the domain via DNSSEC, and that your connection is over SSL, and that the SSL certificate was reasonably vetted. Unfortunately, this doesn't solve the fundamental problem that understanding network security requires some knowledge, and so some day some site on this TLD will get hacked, and every shitty news organization on the planet will talk about how .secure is worthless, and it will die.

      • Re: (Score:2, Troll)

        by AngryDeuce (2205124)
        Yeah, but the idiots will think it is an impenetrable shield. All this kind of shit does is encourage risky behavior by instilling a false sense of security when there is none.
        • Re: (Score:3, Interesting)

          by Anonymous Coward

          So by that logic, you shouldn't be allowed to advertise anything as "secure" because nothing is 100% secure, but if you call something secure then stupid people will assume it is impenetrable. I mean, the security system on my house doesn't turn it into an impenetrable bunker, but it does increase my security, and no one has a problem with it being referred to as a "security system", so how is this different?

          The fundamental problem is that while everyone realizes that there's no such thing as perfect secur

      • by Tridus (79566) on Friday May 11, 2012 @04:35PM (#39972565) Homepage

        And we can do all that now without paying ICANN extra fees or creating the illusion that it's "secure" because the address says so. Which is exactly what end users and the media are going to believe.

        What we really need to do is rein ICANN in and stop this kind of nonsense.

      • by makomk (752139)

        Except it doesn't mean that at all, because all those technologies are backwards-compatible. So any client that doesn't know about .secure should quite happily resolve .secure domains without using DNSSEC and connect to them over plain, unencrypted HTTP. In fact, I expect that in practice most clients won't validate DNSSEC because otherwise it'll break access to .secure sites on networks which don't support DNSSEC and their users will complain.

    • by MightyYar (622222)

      Who needs to hack it when there is already a secure.ru domain? It's already shady as hell - won't even let you in unless you let it set a javascript cookie.

  • An insecure website by any name sucks just as bad...

    *This Post Approved by the Council of Approving Things

  • tl;nt (Score:5, Insightful)

    by X0563511 (793323) on Friday May 11, 2012 @04:15PM (#39972197) Homepage Journal

    (too long, not typing)

    Seriously. When every other TLD is two or three characters, they decide to go use a full word? Breaking conventions AND convenience! Whee!

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Users don't type in URLs anymore!

    • by morcego (260031)

      Will be interesting to see people using URL shorteners (bitly etc) on .secure domains, and how that will compromise the whole principle of the idea.

      • by X0563511 (793323)

        I see no reason why it should. All that does is set up an HTTP redirect (which if you think about it for more than half a second is pretty much exactly like clicking a link)

        • by morcego (260031)

          You only see where you are being redirected to AFTER you click on the link.

          The .secure domain is only different because people can just assume it is secure, even before clicking.

          There is nothing stopping the current websites from being even more secure than the .secure ones. The principle of the idea is identify.

          • by X0563511 (793323)

            The .secure domain is only different because people can just assume it is secure, even before clicking.

            You are forgetting about SSL? .secure will be mandatory vetted SSL, combined with it's own domain TLD? Eg, that certificate can't be used by a .com, which is not as vetted.

            • Yes, but unless the user's browser KNOWS that, any rogue DNS server could still potentially redirect them to a fake .secure site.
              • by X0563511 (793323)

                Which is why DNSSEC is supposed to be enforced for it, because that stops those kind of shenanigans if people bother to implement it.

                • And once again, that depends on the user's browser (or what-ever mechanism the browser accesses for DNS information) to enforce DNSSEC.
    • When every other TLD is two or three characters, they decide to go use a full word?

      Agreed. Why not just .s? Or maybe .sec?

      • .sec is just a fat finger slip away from .sex, which I can only assume will some day be its own TLD at the rate ICANN is handing them out. Can you imagine accidentally stumbling upon https://discreteaccountants.sex/ [discreteaccountants.sex] ? Hold that thought. I just had an idea for a startup.
      • Agreed with what? A comletely false statement? There are TLDs that have been around for years to over a decade that are more than 3 characters.

        • by makomk (752139)

          All the TLDs that are over three characters long have gone almost totally unused for their intended purposes.

          • Arguably, in countries where the local country-code TLD isn't considered a deviant slumzone, the end user experience of a 'TLD' is already five characters long.

            Architecturally '.co.uk' isn't a TLD, of course; but the intention is more or less identical to '.com'. Adoption does fall off pretty rapidly as you get into the dodgier waters away from .com and .org; but there seems to be a reasonably widespread assumption that country code TLDs can be chopped up into categories in a way that effectively makes a
          • Try this one [chicken.coop]

            It's for a chicken co-op, but it sure sounds and reads more like a chicken coop (hen house) [wikipedia.org]

            I'm surprised no conspiracy groups ever registered dis.info or noneofyour.biz

            And in a case of the internet imitating life, steve.jobs is offline.

          • by nullchar (446050)

            There are a few .museum domains in use: http://index.museum/fullindex.php [index.museum]

            Even more .aero domains in use: http://www.nic.aero/cgi-bin/ad_search.cgi [nic.aero] (hit the search without changing the form)

            The same for .jobs and .travel who's registry operator verifies the website contents before allowing the nameservers in DNS. (Which is why steve.jobs never resolved anywhere.)

            Those > 3 character TLDs seem to adequately fit under their respective namespaces, unlike domain names under generic top level domains (gTLDs)

      • by KlomDark (6370)

        I think the goats have something to do with avoiding sec...

      • I mean there it is, just another plan to extort money, which then gets added to the product, which we pay for and somebody else is chipping off a little bit for themselves.

      • by Zocalo (252965)
        Two or three characters like ".museum" and ".travel", the former of which at least tries to enforce some verification of its domain applicants. It's hardly a new concept, if hardly widely adopted; I've only come a across a handful of ".musuem" sites and can't recall any ".travel" domains, although I'm sure there are some.

        What really frustrates is that we keep getting schemes like this that just look to be a pure money grab instead of things that might actually help solve a problem. Where's the accredit
        • Where's the accredited applicants only ".bank" gTLD to help prevent phishing of financial institutions, for instance?

          Not all "banks" are financial. Who would get blood.bank or sperm.bank?

          • by Zocalo (252965)
            True, there are several other types of "bank", but the one most people think of first is the financial type, and so far at least they are the ones mostly being targetted by phishers, although a 419 email phishing a sperm bank would be an "interesting" read, I'm sure. Still, why not? A bank's a bank, so why not allow "vlads.blood.bank" if you were running a hypothetical ".bank" domain? Or maybe apply ".finance" instead, since not all financial targets of phishing are banks, either; EFTS, building societie
        • by X0563511 (793323)

          Have you ever seen those domains used? No? That's my point. Nobody uses them because they are a pain in the ass.

          • by Zocalo (252965)
            Yes, I have, and said so in the post, along with that the statement that they were not exactly widely used. For what it's worth, I've come across several museums with a site within the ".museum" gTLD since I travel a lot and like to find out something about the local culture while I'm there, for which museums are often a good place to start. I've also come across a couple of ".aero" domains and have an email address at a ".int". All that kind of proves my point though; gTLDs more than three letters are c
    • Ignoring .info, .museum, .aero, .arpa, .asia, .coop, .jobs, .mobi, .name, .travel, etc, right? There is no rule that says domains are only 2 or 3 characters despite nerd protestations.

    • by Guppy06 (410832)

      Length is irrelevant to a TLD getting ignored. When was the last time you visited a .us domain other than the likes of "delicio.us?"

      And that's before getting to all the state-specific subdomains (al.us, ak.us, ar.us, etc.) that aren't even used by the state governments in question.

      • by Coren22 (1625475)

        How about the last time you saw a .co, and didn't think to yourself it was odd visiting something in Colombia?

    • by thegarbz (1787294)

      Personally I find typing 4 characters tedious. Instead I just type the domain name and hit Ctrl+Enter.

      Combined with shortened URLs purchased by companies, "www.faceboo.com"+Enter, becomes "fb"+Ctrl+Enter

  • by Anonymous Coward

    ...for every link within subdomains

  • Yeah yeah whatever (Score:2, Insightful)

    by Anonymous Coward

    Recall the ".pro" TLD? Supposed to be for "vetted professionals"? The first .pro I ever encountered turns out to be a crooked outfit. (If you must know, videolan.pro, which impersonates but does not actually have any connection to the real thing.) I have so far never encountered a dot-pro that was actually legit. A lesser used .biz of sorts, but with delusions of grandeur.

    So I'll reserve judgement on this one. Not that it isn't a reasonable idea, I've been toying with the notion for a while. It's the execu

    • by wiedzmin (1269816)

      Recall the ".pro" TLD? Supposed to be for "vetted professionals"? I have so far never encountered a dot-pro that was actually legit.

      What's ".pro"?

      • by X0563511 (793323)

        Erm, did you even read what you just quoted? The first sentence defines it.

        • by wiedzmin (1269816)
          The point was that I've never heard about it until now. I googled it right after. Useless.
          • by X0563511 (793323)

            You must not be seeing the AC's whole post. It starts with this, which tells you exactly what it is:

            Recall the ".pro" TLD? Supposed to be for "vetted professionals"?

            • by wiedzmin (1269816)
              Yes, I saw that. What's the point? Am I supposed to trust someone more because he is using a .pro domain, as opposed to a .com domain? IMHO, I would prefer he used a .com domain - that probably means he's been around longer.
              • by X0563511 (793323)

                I suppose the point was that you weren't supposed to be able to register .pro domains without actually having some means to vette your profession?

                I'm not the person to ask.

    • We obviously need to pair every .pro domain with a matching .con domain... you know, for balance.

  • by NemoinSpace (1118137) on Friday May 11, 2012 @04:20PM (#39972301) Homepage Journal
    Then I realized it wasn't a joke.
    This is so not going to end well.
    something almost, but not quite, entirely unlike tubes.
  • Hmm, just a way for domain registrars to make more money? https:/// [https] should be sufficient, browsers already inform you when you have a secure connection.
  • .bank (Score:5, Insightful)

    by wiedzmin (1269816) on Friday May 11, 2012 @04:23PM (#39972365)
    Again, I would rather have them introduce the .bank domain name, that can be registered only by verified banking institutions (they make it cost like $20,000 per year too, to further deter fraud). IMHO that, combined with PCI regulations enforcing the security of sites hosted on such domains, would be infinitely more useful.
    • by X0563511 (793323)

      with PCI regulations enforcing

      BWAHAHAHAHAHA!

      If only you knew what an insider knew.

      • by wiedzmin (1269816)
        I know that some compliance is better than no compliance at all. Even a poorly enforced PCI control on .bank is better than no control on .secure, no?
    • by thegarbz (1787294)

      (they make it cost like $20,000 per year too, to further deter fraud).

      You clearly don't know much about fraud do you? $20000? That's a single victim's savings right there. The problem is people do fraud not to boost their petty cash but to get rich from crime. If people thought they could only make that little money from fraud then they'd have real jobs instead.

    • by Patch86 (1465427)

      To be honest, I'd settle for ".bank.uk" (and your local equivalents). Nominet maintains (or allows) a number of second level domains which have policed registration requirements, so one for recognised banking organisations shouldn't be too hard to manage. Exactly what the criteria would be is debatable, but there are plenty of candidates- only FSA-regulated organisations, only organisations with a banking license, etc.

  • When I first saw this I though, "Oh good, no more explaining to Grandma that you need to check for HTTPS://", but it is a bit to type. Why not replace "https://" with "shttp://" or "secure://"?
    • The stuff before the '://' specifies the protocol. There is no "secure://" protocol, nor does this proposal involve any additions or changes to what currently counts as https, except for actually using them consistently.
      • by fearlezz (594718)

        If that is the whole problem, why not rename the https protocol to "secure"?

        I personally don't think it's a bad idea to make secure:// an alias of https://./ [.] The only problem would be that just using https [google.com] does not tell anything [google.com] about the connections [ssllabs.com] actual security [google.nl].

        • by X0563511 (793323)

          The only problem would be that just using https does not tell anything about the connectionsactual security.

          Of course not. That's the job of the browser. It's not the protocol's fault the browsers don't do it. The CA break-ins are all political problems really - those who were trusted betrayed that trust in one way or another.

    • by pahles (701275)
      shttp:// sounds like a rather shitty protocol...
    • by geekoid (135745)

      I like how you have to explain something you clearly don't understand to your grandma.

  • Isn't this exactly what Extended Verification Certificates were supposed to be for?

    Why should I trust some arbitrary party to vet the security of a website by the virtue it's accessible with a particular TLD? I get that TLS shouldn't require any third parties merely to establish a secure pipe, but if you *are* looking for a third party to vet other stuff, like your bank's privacy policy and whatnot, this is exactly what PKI *does* do well, at the protocol level.

    • I'm skeptical of this fancy new domain(for basically the same reasons that I'm skeptical of SSL/TLS once you include the 'identity' problem); but 'EV' certs are a perfect example of how PKI, as presently implemented, does a ghastly job of doing what it is supposed to do. Plain, boring, certificates were originally supposed to be all authoritative and vetted and whatnot. That didn't survive price pressure and laziness, so now we have the new double-secret-verified certificates that make your browser turn gre
    • Isn't this exactly what Extended Verification Certificates were supposed to be for?

      I imagine that it's a TLD for which type-in traffic is intended to go on HTTPS instead of HTTP, and for which browsers can expect DNSSEC and EV certs and fail if not present.

  • If they are going to do this, can they at least shorten it? How about ".sec"?
  • So, who maneuvered this one into being, so that one they and their closest friends can approve people for this TLD? Oh, and we should start teaching the uneducated public that *.secure is the only way for a site to be trustworthy, so that those key players can make even more money from certificates that cost nearly nothing to generate.
  • by Arrogant-Bastard (141720) on Friday May 11, 2012 @04:34PM (#39972533)
    Given the rousing success of .mail, which immediately succeeded in reducing spam to a...oh...wait...

    And then there's .pro, which is used exclusively by millions of professionals and...oh...umm...

    Alright, never mind that. Of course it will be secure, because a well-known security company is on the job and...oh...errrrmm... Verisign, Pillar of Internet Security, Hacked [idexperts.com]...

    Doesn't matter. I'm certain it will work perfectly. I mean, really, what blackhat would target a .secure domain? Everyone knows they're secure.
  • Hack one. Purpose defeated.

    ICANN is a menace that needs to be put out of its misery.

  • of course you can check, if an ip only runs https, when registering the domain. But you cannot check, if the ip accepts http at some point later on ... and even with regular checks, a firewall could allow http for clients and disallow it for the checker-ip.

    Also implying https on = secure. then the browser display of 'valid certificate' would just be enough.

  • Unless it's secured from governments, agents provocateurs, corporate raiders, etc, it's not secure.

    These days, it's not just random Slavs looking to jack your CC info you need to keep watch for...
  • ...norton.secure and mcafee.secure found to be hosting ransomware and malware.
  • and a comprehensive vetting process for websites and their operators.

    What, like the one required to get a signed SSL cert? Oh wait, I mean the one to get an "Extended Validation" SSL cert.

  • When you use a https site you don't need the TLD to tell that it is secure: the protocol name is what's to be counted on.

  • by Kagetsuki (1620613) on Friday May 11, 2012 @08:44PM (#39975075)

    You know, and f*ing fix the certificate system. Make it so certificates are generated off some sort of DNS record information or something and add that info to the info registrars have. Or something. Buying certificates is almost like blackmail, and even if you do buy one it's not like your cert auth isn't vulnerable to attack or users won't just hit the "add exception" button when they get spoofed.

    Oh and as was mentioned above, making a .secure domain is like putting a target on yourself. Good luck with that one.

  • I don't think a new domain will prevent stupid mistakes like this: http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/ [theregister.co.uk] In short, Citibank's website was "hacked" by changing the account number in the URL. Account numbers exposed via GET requests.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...