NEWS FROM THE LAB - Saturday, May 19, 2007

And you can take that to the .bank Posted by Mikko @ 07:59 GMT

We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. See this post for original context.

We've received lots of questions and also plain criticism over the whole idea – most notably, in Slashdot as well as from Larry Seltzer in his prominent blog.

So let me collect the most typical challenges to the idea, and answer them.

A new top-level domain will not solve the phishing problem once and for all, so it's not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

But .com works just fine!

Today anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Phishers could still create realistic-looking fake domains. For example a look-a-like for www.citi.bank could be www.citi.bank.account.yadayada.com.

Yes, phishers would still be able to do this; this new top-level-domain would not be able to do anything to stop this problem. Same thing with masked html links.

Illustration by Nenad Jakesevic for Foreign Policy

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

What about security researchers?

This would make life easier for security researchers to figure out which sites are not phishing sites. This really isn't as obvious as it sounds, as banks themselves use tons of different domains. We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank but they certainly do get phished. They might want to have a secured TLD for account access.

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

What about .pro?

The .pro TLD does validate who gets the domains, but it's targeting a different audience (individual professionals like doctors and lawyers).

Extended Validation (EV) certificates largely address the same issues.

We're not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There's no way to know if a site has a high-security certificate without visiting it.

Banks don't deserve their own domain.

We already have a TLD for airlines (try www.nw.aero) and museums (try the.british.museum). Isn't it a bit odd we don't have one for banks? Although they are the ones that get attacked all the time?

Would this be a global domain?

Probably. Then again, nothing prevents local governments from setting up domains like .bank.uk, .bank.jp, .bank.au in their own jurisdictions.

Would it work?

Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.

There are no rogue sites on .gov domain names. Why? Because you can only get a .gov domain if you really are a US governmental organization. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.

Ok, I'm convinced. What's next?

This initiative won't move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

This piece was crossposted with Foreign Policy blog.