F-Secure Calls for '.safe' TLD

Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."

Maybe its just me..

[mulvane (692631)]

But wouldn't something a little more, well, financially sound be better. .safe just makes me think of child protection sites, law enforcement security boards and such. I know .fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a .safe, but for other purposes.

Re:Maybe its just me..

[kisrael (134664)]

The choice of ".safe" also sounds like blatant propaganda...

Re:Maybe its just me..

[smallfries (601545)]

Exactly, how many people would pay for an .unsafe tld?

So once 95% of all websites decide that they want to be safe, how do organise the namespace? How about .com.safe, .gov.safe, .net.safe....

Then all we do is turn off the .unsafe domain and we're done!

Re:Maybe its just me..

[thsths (31372)]

> So once 95% of all websites decide that they want to be safe, how do organise the namespace?

That should be easy: .safe, .extrasafe, .doubleplussafe, .360safe etc. The only limit is the amount payed to the registrar :-)

Re:Maybe its just me..

[geekoid (135745)]

You don't let '95%' of all domains use it.

So financial institutions get it, but "we're not a bank" Paypal wouldn't.
That's a shiv I would love to see paypal get.

Re:

[borawjm (747876)]

Exactly, how many people would pay for an .unsafe tld?

I'm going to be the first to register un.safe and claim that it is a "safe" website

Re:Maybe its just me..

[gEvil (beta) (945888)]

Agreed. We should also create a .terror domain--it'd help make tracking down those evil evil terra-ists that much easier...

Re:Maybe its just me..

[Anne Thwacks (531696)]

Support the .scam domain! And the .spam domain too!

Re:

[jacksonj04 (800021)]

An awkward bit of history, back from when you had to follow the rules when registering domains and the US didn't have their own TLD, so they used .gov, .com, .org, .edu etc as their own and asked everybody else to use their own national TLDs.

Part of me misses the enforced rules bit, as now you can't tell where a website actually originates for. Anybody remember all the .to domains? fly.to, go.to etc, none of which came from Tonga.

Not only that...

[Pollux (102520)]

But it also sounds like an inviting and tempting invitation for hackers to prove that nothing is ".safe"

What next? Will someone build a ship and claim it's unsinkable? Oh wait...

Re:

[BDPrime (1012761)]

The article suggests .bank as well. That could be OK, but what about financial firms that might not consider themselves banks?

Re:Maybe its just me..

[eln (21727)]

Or financial sites that studiously avoid calling themselves a bank, even though they clearly are one, in order to avoid being regulated like a bank. Such as Paypal.

Also, .safe is just asking for trouble. It gives people an even greater false sense of security than they already have about "secure" websites. Might as well just call it .lawsuit-magnet.

Re:Maybe its just me..

[stonecypher (118140)]

Why is it that everyone seems to think a company that transfers money and holds money in accounts is a bank? Your utility companies do that, credit cards are issued by non-banks all day, et cetera. You might as well argue that Final Fantasy Online is a bank - you can purchase in-game currency, give it to someone else, then have it converted back to real currency. Do rechargeable, releaseable gift cards make every store in the mall a bank? Is my cellular phone company a bank? My cell phone can make payments for me, even.

Bank regulations aren't about little-guy money transfers, and wouldn't help in virtually any of the "omg paypal skrooed me" situations (which, I might note, I've never actually seen be anything other than the fault of one of the two end-users. Yes, PayPal freezes accounts too easily, but frankly, if you can't tolerate a several-day money lag, you shouldn't be transacting online at all.) Bank regulations are about the investment of held capital and so forth, to prevent messes like the 1914 commodity crash or the 1980s savings and loan scandal. Say what you will about PayPal, but their back-end investments are safe, conservative and shrewd. No bank regulations would affect PayPal in any way that the end users would find significant, other than to increase existing rates (not by enough to affect most transactions, but it would kill the micropayment system dead.)

The next time you go complaining about regulations, maybe you should name the specific regulation you want. That way, when people read what you say, they won't do what I did, and assume you're some clueless whiner who just wants to repeat what everyone else says to sound smart, when bitching about an online business that they heard screwed a friend of a friend of a friend.

Of course, that'd require knowing what you were talking about.

Re:Maybe its just me..

[goombah99 (560566)]

how about .careful ? To remind people not to assume something is safe from it's name. Otherwise please click on my NotAVirus.exe.

Who will accredit third world banks such as the FIRST BANK OF JOSEPH ENTBE OF NIGERIA?

Re:

[ozbon (99708)]

How about .legit ?

*grin*

Re:

[CastrTroy (595695)]

Only if I'm allowed to buy too.legit. :)

Re:

[warpSpeed (67927)]

Only if I'm allowed to buy too.legit. :)

www.too.legit.to.quit
and
www.hammer.time

Re:

[teh kurisu (701097)]

I'm actually mystified as to why UK banks don't use the .plc.uk domain, which is reserved for publicly listed companies.

Re:

[i.r.id10t (595143)]

Don't feel bad. I'm miffed that the government uses .com's (and .nets, etc) instead of .gov. I also think they shoulda given a .gov domain for the yearly free credit report stuff. As much as I trust myself, before entering all that juicy info, I actually found links to the .com from the .gov websites, etc. first...

.safe

[voice_of_all_reason (926702)]

Brought to you by King Canute. Make things happen by simply commanding them to be so!

(yes, I'm well aware that interpretation of the story is incorrect).

As a matter of principle...

[rlthomps-1 (545290)]

I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of .safe is lost.

Re:

[epiphani (254981)]

What if someone gets some exploit code on one of these sites?

Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.

The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.

Re:

[buro9 (633210)]

http://mydomain.com/ [mydomain.com]

I can see this working already ;)

The tools are already in existence to secure communications, and they are already in use. The flaw in the system is not the domain names or secure connections but the users who are deceived into accessing other sites and to give up personal details. .safe will not end deceptive practices, especially when success = money.

Education is the way to secure users, that and banks and other entities that really require security to actually employing some decent se

Re:

[buro9 (633210)]

My original link was:
http : // www . barclaysbank . safe @ mydomain . com /

It's nice to see that slashdot takes care of that anyway.

Re:

[Bogtha (906264)]

What if someone gets some exploit code on one of these sites?

This has already happened: Hacked Chinese Bank Server Phishes for US Banks [slashdot.org].

Not going to help

[CastrTroy (595695)]

As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in .com, or .ca, or .safe, or .xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.

Re:Not going to help

[networkBoy (774728)]

so we need a .safe and a .scam domain?
Likely won't make a lick of difference though.
-nB

Because you know

[dctoastman (995251)]

People are infallible and immune from social engineering attacks and there is no way a shady organization would ever get a .safe domain.

Countdown...

[Yoozer (1055188)]

Count down to the first case where a .safe domain is corrupted because of nepotism, fraud, forgery, what-have-you.

A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.

We've all heard how some corporations lose several thousands of records of personal data. What does that .safe TLD mean, in that case?

Re:

[CastrTroy (595695)]

I would like to know my more banks don't offer more secure methods of authentication like RSA keytags and such. This would completely wipe out most of the problems with phishing. Instead they think up other useless methods like making you click on an onscreen keypad to enter your password, or asking you what your favourite movie is. I think that many people would pay for the keytag themselves if they were presented with the option, just for having the peace of mind knowing they are more secure. I know

Great but...

[otacon (445694)]

People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.

Re:

[l0b0 (803611)]

A lot of people seem to be completely oblivious to URLs. You could use insecure.stayaway.ng/porn without raising suspicion from *pulls out a number* 83% of the population.

How will it protect users from their own idiocy?

[140Mandak262Jamuna (970587)]

People respond to phishes and Nigerian scams and give all their usernames and passwords voluntarily without ever touching their banks or the safe domains. How can banks protect against such users? Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters".

Will this really make a difference?

[FredDC (1048502)]

I don't think so...
 
There will always be idiots, who will fill in their credit card information at visa.safe.ru!

Is it useful?

[efence (927813)]

There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective. Introduction of a new TLD is not a replacement for user education.

Assumptions

[hack slash (1064002)]

If a .safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a .safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all .safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into .safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.

Re:

[geekoid (135745)]

True, but it would decrease risk, which what security implementation is really about.

They would need to implement some tough rules for who can register them for it to have a chance of working. Smething I don't think they have the backbone to do.

All this assumes people actually look at where a link goes before clicking it.

I have a better idea!

[140Mandak262Jamuna (970587)]

Let us create a separate domain for phish hosts! All phishing sites must clearly identify them as phishing sites to get a chance to be listed in that domain. Of course, compliance is voluntary. It makes as much sense as the safe domain for the banks.

Not a new idea.

[bigmaddog (184845)]

This sounds a whole lot like RFC #3514 [rfc.net] to me, except on a higher level, which makes the idea at least four years old.

Bad idea

[ProfessionalCookie (673314)]

Domain names are to easy to fake. That's all. Perhaps a better name system?

safe = !safe

[symes (835608)]

But surely, to the inexperienced, anything can look "safe" e.g. www.urbank.safe [bizarremag.com]. As others have already suggested above, it's better to educate than attempt structural changes to protect the naive.

Nice idea but...

[JohnnyBigodes (609498)]

... I don't think it will work, at least not how they think.

Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.

Oh God, Not Again!

[user24 (854467)]

Are we really going to have to go through every argument why .xxx was a bad idea, replacing "porn" with "safe" and "perverts" with "hackers"

quick, someone who knows regex copy the most highly modded comments from here [slashdot.org], here [slashdot.org], here [slashdot.org], here [slashdot.org] and here [slashdot.org], and save us [xkcd.com]!

This is a great idea, I'm sure it'll work

[mrwiggly (34597)]

<a href="http://phishers.com">click to login to http://mybank.safe/ [mybank.safe] </a>

.safe will be even more unsafe

[IGnatius T Foobar (4328)]

The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.

Dumb idea, game over. Next...

On the face of it...

[Ngarrang (1023425)]

On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.

We have .gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have .edu for education institutions.

Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name. .shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect

There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).

We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.

Re:

[digitalhermit (113459)]

For the most part, I agree with this. It's funny how DNS is starting to look like the original LDAP recommendations on the name hierarchy. LDAP went from an organization based hierarchy to schemas that started looking at lot like the DNS TLDs. And DNS itself may start looking at lot like how LDAP was. As more companies are becoming international, the idea of arbitrary geographical boundaries to information and yes, commerce, seems somewhat quaint.

the answer

[CrazyBrett (233858)]

A: Create a new TLD!
Q: (what was the question again?)

what ever happened to the internet death penalty?

[Almost-Retired (637760)]

I see by the article that several chinese ISP's were asked to take down phishing sites, but refused.

To me that's the time to apply the internt death penalty, where the root dns servers refuse to give out the addresses of the offending domains.

We did it to korea a couple of times, with temporarily mixed results, but IMO the takedown (I think it was only 3 days) wasn't of sufficient duration to really get their attention.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Message from Our Sponsor on ttyTV at 13:58 ...

Dpends, i

[geekoid (135745)]

If the truly want a serious attempt at this, maybe they fly someone to the institution to talk to the CEO?