Weekly Edition
Return to the Security page
| |||||||||||||
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica)Dan Goodin at Ars Technica reports on iSec Partners, a company proposing to make .secure into a heavily-vetted high security domain. "Sites that wanted to be a part of this exclusive domain would have to undergo rigorous screening to verify their identity. Physical addresses, trademark registrations, articles of incorporation, and other legal documents would be reviewed by human beings. Upon approval, applicants would receive two-factor authentication hardware to register online. They would also be required to meet a minimum set of security practices, including end-to-end encryption of virtually all Web and e-mail traffic." (Log in to post comments)
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 11, 2012 23:49 UTC (Fri) by slashdot (guest, #22014) [Link]
There's no need for that, RFC 3514 already solves this.
Just set the evil bit correctly, and all will be fine.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 12, 2012 11:58 UTC (Sat) by nix (subscriber, #2304) [Link]
Quite. The moment this goes live it'll become a huge target for every bad guy out there, and unless all the .secure people have systems with zero vulnerabilities (yeah right), some of them will get in. Then the reputation advantage of .secure vanishes.
The worst scenario would be someone getting in, *not* making a huge song-and-dance about it, and exploiting the increased trust of .secure to quietly steal stuff for a long time. We are probably saved from this because hardly anyone in the general public pays the least attention to URLs anymore: they're not going to feel any increased trust because they won't even notice they're in .secure. The most they're going to see is the green bar.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 1:02 UTC (Sun) by pr1268 (subscriber, #24648) [Link] Notice the date on RFC 3514. Of course, I'm assuming you already know the IETF's quirkiness in that regard. But, I'm left wondering how serious iSec Partners and Artemis Internet are with this proposal? It seems to me that a .secure TLD would be the biggest target black hats would just love to exploit. This isn't some April Fools joke stretched all the way to May, is it?
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 12, 2012 0:00 UTC (Sat) by robert_s (subscriber, #42402) [Link]
Yes because the answer is yet another highly centralized trust model.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 12, 2012 21:29 UTC (Sat) by wahern (subscriber, #37304) [Link]
I don't think the model is trust or centrality. The model is accountability. In an environment with proven repercussions for maintaing broken infrastructure, trust would follow naturally.
The problem is one of externalities. If some administrator's server gets broken into, the harm to him is minimal while the collective harm to everyone else can be significant. The way to fix this is to make that administrator internalize those costs. One mechanism to do it: kick him off the network, so that he really feels the pain when his box is p0wned. Whether the mechanism for kicking him off is centralized (a dictator) or not (a democracy), doesn't matter much in the short term.
So, you're not trusting the .secure TLD people to maintain security. You're expecting them to vigorously punish insecurity. If they don't do this, then people will move on. If they do, then any .secure network would be worthy of more trust than, say, a .cn network. That's a big "if", though. There're lots of conflicting economic interests at play.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 10:03 UTC (Sun) by robert_s (subscriber, #42402) [Link]
"That's a big "if", though. There're lots of conflicting economic interests at play."
That "if" becomes even bigger in the context of highly trusted certificate authorities issuing man-in-the-middle capable certificates to governments and "security systems" vendors.
Why do you think we would necessarily _know_ whether this organization is doing a good job maintaining security?
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 20:02 UTC (Sun) by copsewood (subscriber, #199) [Link]
.secure wouldn't be worth anything other than as a temporary marketing ploy for taking cash off the gullible unless it uses DNSSEC throughout.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 18:54 UTC (Mon) by hummassa (subscriber, #307) [Link]
s/unless/even if/
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 18:05 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link] If you really want to make the system work well, you need to provide some kind of reward- even if it's just reputation, rather than financial- for identifying and publicizing insecurity. Vulnerable sites will ask for a grace period to fix their problems, and the others will be tempted to give it to them. Whatever the long term benefit from having a serious penalty for being insecure, there will be some loss of reputation from admitting there's a problem; other sites will be tempted to prevent a short term hit by cooperating in covering it up as long as there's a promise of a prompt fix. They'll be doubly tempted because they'll want to ensure that there's a precedent that they'll be given a grace period if/when they're the vulnerable one. The only way out is to reward people for refusing to play along.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 18:51 UTC (Sun) by drag (subscriber, #31333) [Link]
That's really pretty much describes how it works now for all websites.
And unless you are creating a website for vanity or some other personal satisfaction then it really all boils down to money no matter what your intentions are when designing a incentive system.
We all know what the truth is behind this ".secure" thing is; It's a attempt to build a racket based around a flawed assumption/logic by the people that initially designed the domain naming system with its use of top level domains.
If these people get their ".secure" TLD accepted then pretty much every commercial website will feel compelled to re-purchase all their existing *.com/*.net/etc domain names, but now ending with ".secure". They want to make it complicated, exclusive, and expensive to get a ".secure" domain name not because they want to make the internet a better place, but because that will generate the maximum amount of revenue with the minimal amount of effort for themselves.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 24, 2012 11:52 UTC (Thu) by job (guest, #670) [Link]
Absolutely. You wouldn't want some porno site to register "your" domain name under our brand new TLD, right? That's the real business model, a sort of protection money if you will.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 18, 2012 21:30 UTC (Fri) by dafid_b (guest, #67424) [Link]
Given that companies with servers in the .secure domain have opted in, it the becomes reasonable for the browsers to apply rigorous standards to certificates etc.
The warnings can instead be errors that can not be clicked past...
Maybe with an with an email report to the domain registrar of the problem.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 12, 2012 1:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
Does anyone remember .pro domain for "registered professionals"? No?
Oh well...
Old news Posted May 12, 2012 6:54 UTC (Sat) by geofft (subscriber, #59789) [Link]
Hasn't this been implemented already? Every vulnerability-free site on the Internet is already in the .secure domain.
.onion vs .secure Posted May 12, 2012 7:54 UTC (Sat) by atoponce (guest, #57402) [Link]
Don't we already have a secure infrastructure with .onion, without the centralized model? Heh. Seems someone missed that boat by a few years.
.onion vs .secure Posted May 12, 2012 21:34 UTC (Sat) by wahern (subscriber, #37304) [Link]
Out of 1) authentication, 2) authorization, and 3) confidentiality, Onion routing only provides #3. I think the idea here is to provide a slightly higher floor regarding #1 and #2 for unknown people on the network. We tend to think of authentication and authorization in terms of passwords or ACLs, but in a simple SMTP exchange there are implicit authentication and authorization elements. They're just really weak.
.onion vs .secure Posted May 12, 2012 21:56 UTC (Sat) by slashdot (guest, #22014) [Link]
SSL provides all of these.
In fact, it appears this ".secure" thing is mainly these guys attempting to replace the SSL CAs and monopolize that market.
This is only beneficial for mankind if they are indeed a better CA, and if their monopoly power is restricted either by themselves (with a legally binding pledge) or ICANN.
Unfortunately, I suspect these things aren't terribly likely.
.onion vs .secure Posted May 13, 2012 23:28 UTC (Sun) by cmccabe (subscriber, #60281) [Link]
Indeed. I read this as "certificate authority offers to actually do its job for once, news at 11."
Which... actually might have some value. Of course, browser vendors would have to enforce the idea that only iSec partners could hand out certs for .secure, but that seems relatively straightforward.
The stuff about enforcing good site security among customers seems a little far-fetched. If some large bank hands them a fat sack of cash, is iSec really going to decline because their site missed a few best practices? It's kind of hard to believe.
.onion vs .secure Posted May 14, 2012 1:07 UTC (Mon) by vonbrand (subscriber, #4458) [Link] The whole "security certificate" stuff being what it is, anybody could just set up their own CA which undercuts prices for .secure (presumably by doing a clown's job on checking), so... Wait, that is how this racket works today.
.onion vs .secure Posted May 18, 2012 10:26 UTC (Fri) by livne.dror (subscriber, #51160) [Link]
Actually, tor hidden service names are self-certifying therefore achieving #1,#3.
see:
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 12, 2012 17:23 UTC (Sat) by drag (subscriber, #31333) [Link]
the whole .tld thing has become supremely irritating.
I can't help think the whole concept was a big mistake in the beginning.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 13, 2012 23:05 UTC (Sun) by copsewood (subscriber, #199) [Link]
Way for ICANN to build out its empire, grow salaries etc.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 10:59 UTC (Mon) by Seegras (subscriber, #20463) [Link]
I said it years ago, and it's still true:
If you open up one TLD after another, people will feel compelled to register their name or whatever in each new TLD that comes along.
The only solution is to open up the namespace to ALL possible TLDs from 3 characters (those not already assigned) up to a certain length (maybe 20). Make it so nobody can own a TLD, but everybody can register any second-level Domain under any possible TLD.
This way, the namespace is much too big that anybody can register all of its trademarks or names or whatever under all of the possible TLDs, hell, not even all likely domains under all probable TLDs. www.cocacola? www.coke? www.coke-light? www.cola-zero? cola.zero? cola.light? coca.cola? And so on.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted Jun 1, 2012 0:35 UTC (Fri) by Baylink (subscriber, #755) [Link]
That is, nearly word for word, what I've been saying since at *least* the era when Chris Ambler's ioDesign was getting effed over for the .web registry; in fact, I'm pretty sure I put this concept in my NTIA DOC comments on the gTLD expansion...
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 6:07 UTC (Mon) by PaulWay (✭ supporter ✭, #45600) [Link]
Or, you know, the bad guys just *buy* a .secure domain and set it up. Then they just have to wait until the browser makers and company firewalls are cajoled into allowing unrestricted traffic to .secure because of all the legitimate vendors who set themselves up there as well.
Because the bad guys have companies, trade marks, locations, etc. And if their data is protected with SSL and trusted in the browser (for example), then its an investment that pays off.
This is, frankly, wishful thinking. The evil bit does a better job of protecting traffic.
Have fun,
Paul
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 10:51 UTC (Mon) by sorpigal (subscriber, #36106) [Link] Yet another group falsely conflating security with identity. There are two possibilities: This succeeds at a large scale and thus simply raises barriers of entry (costs) for anyone trying to set up a domain that people will agree to connect to, or it winds up meaning nothing. I don't see value in either one.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 20:59 UTC (Mon) by Lennie (subscriber, #49641) [Link]
Or as the CEO of the Canadian Internet Registration Authority says: "Half of all new top-level domains will fail".
"Just like any other private business starting up, all these new TLDs will have a 50 per cent chance of going out of business in two or three years"
He might be biased, but I do think many will fail. A few of the older TLDs had almost failed.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 15, 2012 0:31 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
how does a TLD fail?
the business model of the org creating the TLD may fail, but unless they completely shut down the nameservers can the TLD be said to have failed?
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 16, 2012 0:54 UTC (Wed) by bronson (subscriber, #4806) [Link]
The nameservers for the TLD get shut down when the business quits paying its bills, don't they?
At $50,000+/hour for arbitration, those bills could get astronomical fast.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 14, 2012 16:04 UTC (Mon) by 1wn (guest, #84621) [Link]
This looks like a money grab similar to EV SSL crap.
My own private Internet: .secure TLD floated as bad-guy-free zone (Ars Technica) Posted May 15, 2012 23:06 UTC (Tue) by gdt (subscriber, #6284) [Link]
This is a prime example of the "crunchy outside, soft inside" response to computer security. The entire system fails following the subversion of one machine on the inside. If you use a "soft inside" platform that subversion can be done by something as trivial as reading an e-mail. Securing the traffic of a subverted machine is of no benefit -- it is just as useless as a website with a "128bit SSL" logo writing credit card details to disk on a compromised machine.
|
|||||||||||||