New .secure Internet Domain On Tap

CowboyRobot writes "A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured. ICANN is expected to sign off on .secure, and for the new TLD to be up and running June or July 2013."

Call me back in a month ...

[Barbara, not Barbie]

... when it's hacked.

Re:Call me back in a month ...

[BackwardPawn]

Might as well just name it .hackme

Re:

[Barbara, not Barbie]

All this is going to do is encourage a false sense of security - after all, the chain of security is only as strong as the weakest link, and there are plenty of weak links, starting with the end users and their computers.

"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

Re:

[Joce640k]

"But how was I to know that drivebydownload.secure serves up malware? Or that russianbusinessnetwork.secure would resell my credit card info?"

Even the summary says "vetting process for websites and their operators"...

Re:

[Barbara, not Barbie]

It's a TLD that's going to be operated by a private for-profit business. They won't be able to do much in the way of an invasive "vetting process", and $$$ talks. Even the Hells Angels knows how to use "pret-noms" (people who lend their names and identities as covers for activities) and "social engineering" (crack, broken bones) to get around it.

Re:

[TheLink]

Didn't the CAs say about the same thing? So why should this end up differently?

In both systems the security is going to be about as crap as the weakest link (crappiest CA/subdomain or reseller).

Re:Call me back in a month ...

[Anonymous Coward]

And it's this type of attitude that will kill it. They're not claiming it to be bulletproof or perfect, only that they're enforcing a number of currently available security protocols that are optional in the general internet, and difficult to figure out if they're actually in use. So if you're on a .secure domain name, it doesn't mean the site is unhackable, but it does mean that you resolved the domain via DNSSEC, and that your connection is over SSL, and that the SSL certificate was reasonably vetted. Unfortunately, this doesn't solve the fundamental problem that understanding network security requires some knowledge, and so some day some site on this TLD will get hacked, and every shitty news organization on the planet will talk about how .secure is worthless, and it will die.

Re:

[AngryDeuce]

Yeah, but the idiots will think it is an impenetrable shield. All this kind of shit does is encourage risky behavior by instilling a false sense of security when there is none.

Re:

[Anonymous Coward]

So by that logic, you shouldn't be allowed to advertise anything as "secure" because nothing is 100% secure, but if you call something secure then stupid people will assume it is impenetrable. I mean, the security system on my house doesn't turn it into an impenetrable bunker, but it does increase my security, and no one has a problem with it being referred to as a "security system", so how is this different?

The fundamental problem is that while everyone realizes that there's no such thing as perfect secur

Re:Call me back in a month ...

[Tridus]

And we can do all that now without paying ICANN extra fees or creating the illusion that it's "secure" because the address says so. Which is exactly what end users and the media are going to believe.

What we really need to do is rein ICANN in and stop this kind of nonsense.

Re:

[nullchar]

Uh, no. All of these new gTLDs (generic top level domains) will be "sponsored" by ICANN and run by various registries (private corporations or public ones) under an ICANN agreement. The agreements are periodically "refreshed" through ICANN proposals (just like com/net/org/etc are today) where the statutes of the agreements may change.

So in the application for .secure, the applicant puts in whatever rules they want (e.g. for .slashdot, each registrant must list their UUID and have excellent karma) and if I

Re:

[kermidge]

Enough already with the slew of new gTLDs. ICANN looks to me like the pathetic case of an enfeebled whore scratching for a buck; that, or corporate racketeers.

Re:

[makomk]

Except it doesn't mean that at all, because all those technologies are backwards-compatible. So any client that doesn't know about .secure should quite happily resolve .secure domains without using DNSSEC and connect to them over plain, unencrypted HTTP. In fact, I expect that in practice most clients won't validate DNSSEC because otherwise it'll break access to .secure sites on networks which don't support DNSSEC and their users will complain.

Re:

[DarwinSurvivor]

I don't know a whole lot about dnssec, but is there anything stopping a DNS man-in-the-middle from allowing non-dnssec queries to look up false IP's for .secure domains. For example, probably 99.9% of users use their ISP's dns server, if one of them started returning non-dnssec-protected results for "mybank.secure", would anything in a mainstream browser throw up a red flag?

Re:

[MightyYar]

Who needs to hack it when there is already a secure.ru domain? It's already shady as hell - won't even let you in unless you let it set a javascript cookie.

By any Name

[decipher_saint]

An insecure website by any name sucks just as bad...

*This Post Approved by the Council of Approving Things

tl;nt

[X0563511]

(too long, not typing)

Seriously. When every other TLD is two or three characters, they decide to go use a full word? Breaking conventions AND convenience! Whee!

Re:

[Anonymous Coward]

Users don't type in URLs anymore!

Re:

[allo]

yeah, just google "online banking" when you want to use your online-banking.

Re:tl;nt

[eln]

You laugh, but if I hadn't used that method I never would have known that my bank relocated to Russia.

Re:

[morcego]

Will be interesting to see people using URL shorteners (bitly etc) on .secure domains, and how that will compromise the whole principle of the idea.

Re:

[X0563511]

I see no reason why it should. All that does is set up an HTTP redirect (which if you think about it for more than half a second is pretty much exactly like clicking a link)

Re:

[morcego]

You only see where you are being redirected to AFTER you click on the link.

The .secure domain is only different because people can just assume it is secure, even before clicking.

There is nothing stopping the current websites from being even more secure than the .secure ones. The principle of the idea is identify.

Re:

[X0563511]

The .secure domain is only different because people can just assume it is secure, even before clicking.

You are forgetting about SSL? .secure will be mandatory vetted SSL, combined with it's own domain TLD? Eg, that certificate can't be used by a .com, which is not as vetted.

Re:

[DarwinSurvivor]

Yes, but unless the user's browser KNOWS that, any rogue DNS server could still potentially redirect them to a fake .secure site.

Re:

[X0563511]

Which is why DNSSEC is supposed to be enforced for it, because that stops those kind of shenanigans if people bother to implement it.

Re:

[DarwinSurvivor]

And once again, that depends on the user's browser (or what-ever mechanism the browser accesses for DNS information) to enforce DNSSEC.

Re:

[Mr. Sketch]

When every other TLD is two or three characters, they decide to go use a full word?

Agreed. Why not just .s? Or maybe .sec?

Bad idea...

[billlava]

.sec is just a fat finger slip away from .sex, which I can only assume will some day be its own TLD at the rate ICANN is handing them out. Can you imagine accidentally stumbling upon https://discreteaccountants.sex/ [discreteaccountants.sex] ? Hold that thought. I just had an idea for a startup.

Re:

[HarrySquatter]

Agreed with what? A comletely false statement? There are TLDs that have been around for years to over a decade that are more than 3 characters.

Re:

[makomk]

All the TLDs that are over three characters long have gone almost totally unused for their intended purposes.

Re:

[fuzzyfuzzyfungus]

Arguably, in countries where the local country-code TLD isn't considered a deviant slumzone, the end user experience of a 'TLD' is already five characters long.

Architecturally '.co.uk' isn't a TLD, of course; but the intention is more or less identical to '.com'. Adoption does fall off pretty rapidly as you get into the dodgier waters away from .com and .org; but there seems to be a reasonably widespread assumption that country code TLDs can be chopped up into categories in a way that effectively makes a

Re:

[Barbara, not Barbie]

Try this one [chicken.coop]

It's for a chicken co-op, but it sure sounds and reads more like a chicken coop (hen house) [wikipedia.org]

I'm surprised no conspiracy groups ever registered dis.info or noneofyour.biz

And in a case of the internet imitating life, steve.jobs is offline.

Re:

[nullchar]

There are a few .museum domains in use: http://index.museum/fullindex.php [index.museum]

Even more .aero domains in use: http://www.nic.aero/cgi-bin/ad_search.cgi [nic.aero] (hit the search without changing the form)

The same for .jobs and .travel who's registry operator verifies the website contents before allowing the nameservers in DNS. (Which is why steve.jobs never resolved anywhere.)

Those > 3 character TLDs seem to adequately fit under their respective namespaces, unlike domain names under generic top level domains (gTLDs)

Re:

[KlomDark]

I think the goats have something to do with avoiding sec...

Clearly they should have used .sucr

[Tekfactory]

I mean there it is, just another plan to extort money, which then gets added to the product, which we pay for and somebody else is chipping off a little bit for themselves.

Re:

[Zocalo]

Two or three characters like ".museum" and ".travel", the former of which at least tries to enforce some verification of its domain applicants. It's hardly a new concept, if hardly widely adopted; I've only come a across a handful of ".musuem" sites and can't recall any ".travel" domains, although I'm sure there are some.

What really frustrates is that we keep getting schemes like this that just look to be a pure money grab instead of things that might actually help solve a problem. Where's the accredit

sperm.bank

[tepples]

Where's the accredited applicants only ".bank" gTLD to help prevent phishing of financial institutions, for instance?

Not all "banks" are financial. Who would get blood.bank or sperm.bank?

Re:

[Zocalo]

True, there are several other types of "bank", but the one most people think of first is the financial type, and so far at least they are the ones mostly being targetted by phishers, although a 419 email phishing a sperm bank would be an "interesting" read, I'm sure. Still, why not? A bank's a bank, so why not allow "vlads.blood.bank" if you were running a hypothetical ".bank" domain? Or maybe apply ".finance" instead, since not all financial targets of phishing are banks, either; EFTS, building societie

Chicken.coop

[tepples]

Yes, I know there is already a ".coop" gTLD, but that's just for the birds.

Yeah, especially the Montana Poultry Growers Cooperative [chicken.coop].

Re:

[X0563511]

Have you ever seen those domains used? No? That's my point. Nobody uses them because they are a pain in the ass.

Re:

[Zocalo]

Yes, I have, and said so in the post, along with that the statement that they were not exactly widely used. For what it's worth, I've come across several museums with a site within the ".museum" gTLD since I travel a lot and like to find out something about the local culture while I'm there, for which museums are often a good place to start. I've also come across a couple of ".aero" domains and have an email address at a ".int". All that kind of proves my point though; gTLDs more than three letters are c

Re:

[Barbara, not Barbie]

and have an email address at a ".int".

So, with IPv6, will you be changing it to a 128-bit double.double (aka a "tim horton's").

Re:

[HarrySquatter]

Ignoring .info, .museum, .aero, .arpa, .asia, .coop, .jobs, .mobi, .name, .travel, etc, right? There is no rule that says domains are only 2 or 3 characters despite nerd protestations.

Re:tl;nt

[Tridus]

Pretty much everybody else ignores those, so why not?

Re:

[rb12345]

All ignored except .arpa, presumably, although that's assuming people bother to set up reverse DNS.

Re:

[allo]

.info is widely used, too. but museum? seriously?

Re:

[mbstone]

They could put up tree.museum and charge $1.50.

Re:

[IAmGarethAdams]

Think the prices have gone up since you visited. Amy Grant had to pay 25 bucks

Re:

[Guppy06]

Length is irrelevant to a TLD getting ignored. When was the last time you visited a .us domain other than the likes of "delicio.us?"

And that's before getting to all the state-specific subdomains (al.us, ak.us, ar.us, etc.) that aren't even used by the state governments in question.

Re:

[Coren22]

How about the last time you saw a .co, and didn't think to yourself it was odd visiting something in Colombia?

Re:

[thegarbz]

Personally I find typing 4 characters tedious. Instead I just type the domain name and hit Ctrl+Enter.

Combined with shortened URLs purchased by companies, "www.faceboo.com"+Enter, becomes "fb"+Ctrl+Enter

Re:

[X0563511]

... and how would it be detected or prevented? You don't seem to understand much of the actual technologies involved, here.

CAPTCHA

[Anonymous Coward]

...for every link within subdomains

Yeah yeah whatever

[Anonymous Coward]

Recall the ".pro" TLD? Supposed to be for "vetted professionals"? The first .pro I ever encountered turns out to be a crooked outfit. (If you must know, videolan.pro, which impersonates but does not actually have any connection to the real thing.) I have so far never encountered a dot-pro that was actually legit. A lesser used .biz of sorts, but with delusions of grandeur.

So I'll reserve judgement on this one. Not that it isn't a reasonable idea, I've been toying with the notion for a while. It's the execu

Re:

[wiedzmin]

Recall the ".pro" TLD? Supposed to be for "vetted professionals"? I have so far never encountered a dot-pro that was actually legit.

What's ".pro"?

Re:

[X0563511]

Erm, did you even read what you just quoted? The first sentence defines it.

Re:

[wiedzmin]

The point was that I've never heard about it until now. I googled it right after. Useless.

Re:

[X0563511]

You must not be seeing the AC's whole post. It starts with this, which tells you exactly what it is:

Recall the ".pro" TLD? Supposed to be for "vetted professionals"?

Re:

[wiedzmin]

Yes, I saw that. What's the point? Am I supposed to trust someone more because he is using a .pro domain, as opposed to a .com domain? IMHO, I would prefer he used a .com domain - that probably means he's been around longer.

Re:

[X0563511]

I suppose the point was that you weren't supposed to be able to register .pro domains without actually having some means to vette your profession?

I'm not the person to ask.

Re:

[Em Adespoton]

We obviously need to pair every .pro domain with a matching .con domain... you know, for balance.

Re:

[X0563511]

.con should be a CNAME to .com at the root (.) level :P

i was laughing at the headline

[NemoinSpace]

Then I realized it wasn't a joke.
This is so not going to end well.
something almost, but not quite, entirely unlike tubes.

Re:

[Em Adespoton]

I've been waiting for the .cdn TLD for some time, to house all content distribution networks, and anyone who wants to pretend they're a CDN.

The search for more money

[MrDiablerie]

Hmm, just a way for domain registrars to make more money? https:/// [https] should be sufficient, browsers already inform you when you have a secure connection.

Re:

[Barbara, not Barbie]

So they'll implement a new protocol: httpSS - twice as secure ... and you'll use it and like it, OR ELSE!

Of course it's a money grab. So quick - register in.secure and cash in!

Re:

[Aaron B Lingwood]

So they'll implement a new protocol: httpSS - twice as secure

You laugh, but...

https://wwws.whitehouse.gov/petitions#!/ [whitehouse.gov]

https://wwws.safra.com/SafraOfficeBank/ [safra.com]

http://wwws.aa.warnerbros.com/journeytothecenteroftheearth2/ [warnerbros.com]

https://wwws.loc.gov/readerreg/remote/ [loc.gov]

Secure browsing has already gone enterprisey with the new WWWS for secure sites

Notice the 3rd link. https:/// [https] is not even configured on this server. Yet we are meant to think it is secure because of the 'wwws'.

Re:

[dyingtolive]

Link appears broken.

(don't hit me, I'm joking)

.bank

[wiedzmin]

Again, I would rather have them introduce the .bank domain name, that can be registered only by verified banking institutions (they make it cost like $20,000 per year too, to further deter fraud). IMHO that, combined with PCI regulations enforcing the security of sites hosted on such domains, would be infinitely more useful.

Re:

[X0563511]

with PCI regulations enforcing

BWAHAHAHAHAHA!

If only you knew what an insider knew.

Re:

[wiedzmin]

I know that some compliance is better than no compliance at all. Even a poorly enforced PCI control on .bank is better than no control on .secure, no?

Re:

[thegarbz]

(they make it cost like $20,000 per year too, to further deter fraud).

You clearly don't know much about fraud do you? $20000? That's a single victim's savings right there. The problem is people do fraud not to boost their petty cash but to get rich from crime. If people thought they could only make that little money from fraud then they'd have real jobs instead.

Re:

[Patch86]

To be honest, I'd settle for ".bank.uk" (and your local equivalents). Nominet maintains (or allows) a number of second level domains which have policed registration requirements, so one for recognised banking organisations shouldn't be too hard to manage. Exactly what the criteria would be is debatable, but there are plenty of candidates- only FSA-regulated organisations, only organisations with a banking license, etc.

Re:

[wiedzmin]

The thing is, people read left to right, and web addresses read inside to out. Try to convince most endusers that http://www.wellsfargo.com.soundslegit1234.ru/onlinebank/enterpasswordhere.html [soundslegit1234.ru] isn't safe.

Even if people do read the URL, they often don't understand it. A .secure TLD just gets buried in the legit-looking stuff on the outside.

Fair enough, though newer browsers do help somewhat by highlighting the TDL in the address bar in a different color.

secure://

[GeneralSecretary]

When I first saw this I though, "Oh good, no more explaining to Grandma that you need to check for HTTPS://", but it is a bit to type. Why not replace "https://" with "shttp://" or "secure://"?

Re:

[fuzzyfuzzyfungus]

The stuff before the '://' specifies the protocol. There is no "secure://" protocol, nor does this proposal involve any additions or changes to what currently counts as https, except for actually using them consistently.

Re:

[fearlezz]

If that is the whole problem, why not rename the https protocol to "secure"?

I personally don't think it's a bad idea to make secure:// an alias of https://./ [.] The only problem would be that just using https [google.com] does not tell anything [google.com] about the connections [ssllabs.com] actual security [google.nl].

Re:

[X0563511]

The only problem would be that just using https does not tell anything about the connectionsactual security.

Of course not. That's the job of the browser. It's not the protocol's fault the browsers don't do it. The CA break-ins are all political problems really - those who were trusted betrayed that trust in one way or another.

Re:

[pahles]

shttp:// sounds like a rather shitty protocol...

Re:

[geekoid]

I like how you have to explain something you clearly don't understand to your grandma.

EV certificates?

[diamondmagic]

Isn't this exactly what Extended Verification Certificates were supposed to be for?

Why should I trust some arbitrary party to vet the security of a website by the virtue it's accessible with a particular TLD? I get that TLS shouldn't require any third parties merely to establish a secure pipe, but if you *are* looking for a third party to vet other stuff, like your bank's privacy policy and whatnot, this is exactly what PKI *does* do well, at the protocol level.

Re:

[fuzzyfuzzyfungus]

I'm skeptical of this fancy new domain(for basically the same reasons that I'm skeptical of SSL/TLS once you include the 'identity' problem); but 'EV' certs are a perfect example of how PKI, as presently implemented, does a ghastly job of doing what it is supposed to do. Plain, boring, certificates were originally supposed to be all authoritative and vetted and whatnot. That didn't survive price pressure and laziness, so now we have the new double-secret-verified certificates that make your browser turn gre

Type-in traffic

[tepples]

Isn't this exactly what Extended Verification Certificates were supposed to be for?

I imagine that it's a TLD for which type-in traffic is intended to go on HTTPS instead of HTTP, and for which browsers can expect DNSSEC and EV certs and fail if not present.

Too Long

[Githaron]

If they are going to do this, can they at least shorten it? How about ".sec"?

Re:

[John Bokma]

letmethinkaboutthatfora.sec....

Re:

[Githaron]

Shortening to ".sec" is not a good idea - on a QWERTY keyboard the C and X keys are next to each other and grandma cannot be trusted to avoid typos...

I thought the new domain for that stuff was .xxx?

Re:

[Patch86]

Oh my god, but what if people accidentally mistype that as .ccc? THEY'RE RIGHT THERE NEXT TO EACH OTHER ON THE KEYBOARD!

Bribes, Corruption, Maneuvering

[greenlead]

So, who maneuvered this one into being, so that one they and their closest friends can approve people for this TLD? Oh, and we should start teaching the uneducated public that *.secure is the only way for a site to be trustworthy, so that those key players can make even more money from certificates that cost nearly nothing to generate.

What could possibly go wrong?

[Arrogant-Bastard]

Given the rousing success of .mail, which immediately succeeded in reducing spam to a...oh...wait...

And then there's .pro, which is used exclusively by millions of professionals and...oh...umm...

Alright, never mind that. Of course it will be secure, because a well-known security company is on the job and...oh...errrrmm... Verisign, Pillar of Internet Security, Hacked [idexperts.com]...

Doesn't matter. I'm certain it will work perfectly. I mean, really, what blackhat would target a .secure domain? Everyone knows they're secure.

Monumentally stupid idea

[Tridus]

Hack one. Purpose defeated.

ICANN is a menace that needs to be put out of its misery.

someone did not understand DNS

[allo]

of course you can check, if an ip only runs https, when registering the domain. But you cannot check, if the ip accepts http at some point later on ... and even with regular checks, a firewall could allow http for clients and disallow it for the checker-ip.

Also implying https on = secure. then the browser display of 'valid certificate' would just be enough.

Re:

[allo]

yeah, and what do browsers do, which are older than the .secure domain? or browsers, which just support normal networking without special rules for .secure? And how should the average User tell, if a browser supports secure or not?

.Secure? From whom?

[CanHasDIY]

Unless it's secured from governments, agents provocateurs, corporate raiders, etc, it's not secure.

These days, it's not just random Slavs looking to jack your CC info you need to keep watch for...

In related news...

[wbr1]

...norton.secure and mcafee.secure found to be hosting ransomware and malware.

Heard this before

[LordLucless]

and a comprehensive vetting process for websites and their operators.

What, like the one required to get a signed SSL cert? Oh wait, I mean the one to get an "Extended Validation" SSL cert.

What's the point?

[Hentes]

When you use a https site you don't need the TLD to tell that it is secure: the protocol name is what's to be counted on.

Why not just make HTTPS a "default" option

[Kagetsuki]

You know, and f*ing fix the certificate system. Make it so certificates are generated off some sort of DNS record information or something and add that info to the info registrars have. Or something. Buying certificates is almost like blackmail, and even if you do buy one it's not like your cert auth isn't vulnerable to attack or users won't just hit the "add exception" button when they get spoofed.

Oh and as was mentioned above, making a .secure domain is like putting a target on yourself. Good luck with that one.

Still doesn't guard against lazy programming

[jasonla]

I don't think a new domain will prevent stupid mistakes like this: http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/ [theregister.co.uk] In short, Citibank's website was "hacked" by changing the account number in the URL. Account numbers exposed via GET requests.

Re:

[fuzzyfuzzyfungus]

Ironically, your proposal is actually horribly similar to this pointless-loads-of-arbitrary-TLDs nonsense, just in reverse order and with questionably useful ccTLDs prepended.

The 'domaintype' notion is the kicker. It isn't quite as broad as an arbitrary string; but it is very broad indeed, and would be the stuff of endless wrangling(and, since many sites do multiple things, would suffer from similar must-protect-trademark-on-all-possible-domains shenanigans). At some point, you have to give up and accept