Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security IT

F-Secure Calls for '.safe' TLD 243

Posted by CmdrTaco from the internet-laughs-at-f-secure dept.
Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."
This discussion has been archived. No new comments can be posted.

F-Secure Calls for '.safe' TLD More

F-Secure Calls for '.safe' TLD

Comments Filter:

  • Maybe its just me.. (Score:3, Insightful)

    by mulvane ( 692631 ) on Tuesday April 10, 2007 @09:20AM (#18674141)
    But wouldn't something a little more, well, financially sound be better. .safe just makes me think of child protection sites, law enforcement security boards and such. I know .fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a .safe, but for other purposes.

  • .safe (Score:3, Funny)

    by voice_of_all_reason ( 926702 ) on Tuesday April 10, 2007 @09:21AM (#18674157)
    Brought to you by King Canute. Make things happen by simply commanding them to be so!

    (yes, I'm well aware that interpretation of the story is incorrect).

  • As a matter of principle... (Score:5, Insightful)

    by rlthomps-1 ( 545290 ) on Tuesday April 10, 2007 @09:22AM (#18674169) Homepage
    I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of .safe is lost.

    • Re:As a matter of principle... (Score:3, Insightful)

      by epiphani ( 254981 ) <epiphani@@@dal...net> on Tuesday April 10, 2007 @09:32AM (#18674321)
      What if someone gets some exploit code on one of these sites?

      Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.

      The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.
    • http://mydomain.com/ [mydomain.com]

      I can see this working already ;)

      The tools are already in existence to secure communications, and they are already in use. The flaw in the system is not the domain names or secure connections but the users who are deceived into accessing other sites and to give up personal details. .safe will not end deceptive practices, especially when success = money.

      Education is the way to secure users, that and banks and other entities that really require security to actually employing some decent security.

      What's that thing again? You're only secure is you have two out of three of the following; Something you know, something you have, and something you are. Many financial institutions continue to base their entire security on just one of those things, of course this is made a mockery of with the aid of a little social engineering.

    • Re:As a matter of principle... (Score:3, Informative)

      by Bogtha ( 906264 ) on Tuesday April 10, 2007 @10:07AM (#18674895)

      What if someone gets some exploit code on one of these sites?

      This has already happened: Hacked Chinese Bank Server Phishes for US Banks [slashdot.org].

    • Don't believe self-made tags. (Score:2)

      by The Monster ( 227884 ) on Tuesday April 10, 2007 @11:21AM (#18676085) Homepage

      I just don't trust anything that comes out and says "trust me,I'm safe."
      Like politicians?

      Then there's the girls who wear t-shirts that say "Cutie". If you really are a "cutie", you don't have to wear a label to tell us that you are. It therfore follows that the people who wear those shirts are roughly as "cute" as politicians are trustworthy.

      • Re:Don't believe self-made tags. (Score:2)

        by rlthomps-1 ( 545290 ) on Tuesday April 10, 2007 @11:36AM (#18676415) Homepage
        The funny thing is that these shirts tend to end up on girls that are actually cute. The difference is in the cost of exposing the lie. It's stands out when a uncute girl wears a shirt that says "cutie." Ironic goals statements aside, most girls probably want to avoid wearing a cutie shirt when they aren't cute. Whereas exposing the lie of a politician who is spinning some truthiness on the news involves much more digging around to expose the lie. So in a sense, politicians can get away with lies, while uncute girls have a much harder time. So who ends up telling the truth more often? And is .safe like an ugly girl or a politician?

  • Not going to help (Score:3, Insightful)

    by CastrTroy ( 595695 ) on Tuesday April 10, 2007 @09:22AM (#18674175)
    As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in .com, or .ca, or .safe, or .xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.

  • Because you know (Score:5, Insightful)

    by dctoastman ( 995251 ) on Tuesday April 10, 2007 @09:23AM (#18674181) Homepage
    People are infallible and immune from social engineering attacks and there is no way a shady organization would ever get a .safe domain.

  • Countdown... (Score:5, Insightful)

    by Yoozer ( 1055188 ) on Tuesday April 10, 2007 @09:23AM (#18674187) Homepage
    Count down to the first case where a .safe domain is corrupted because of nepotism, fraud, forgery, what-have-you.

    A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.

    We've all heard how some corporations lose several thousands of records of personal data. What does that .safe TLD mean, in that case?

    • Re:Countdown... (Score:2)

      by CastrTroy ( 595695 ) on Tuesday April 10, 2007 @09:30AM (#18674301)
      I would like to know my more banks don't offer more secure methods of authentication like RSA keytags and such. This would completely wipe out most of the problems with phishing. Instead they think up other useless methods like making you click on an onscreen keypad to enter your password, or asking you what your favourite movie is. I think that many people would pay for the keytag themselves if they were presented with the option, just for having the peace of mind knowing they are more secure. I know I would.

    • Re:Countdown... (Score:2)

      by FirienFirien ( 857374 ) on Tuesday April 10, 2007 @11:49AM (#18676631) Homepage
      an alert user

      What does that .safe TLD mean

      You've half-answered yourself - savvy users understand about phishing in the first place, know about password security, etc etc. It's the unsavvy users that are being fooled.

      While I appreciate you're picking on the word 'safe', you're picking on it for the wrong reason. People will still be caught out by www.bank.safe.banking.login/login.asp instead of www.bank.safe/banking/login/login.asp; but that's not what .safe is trying to address. It's trying to address scammy domainnames like yourbank.com instead of bank.com, or 8ank.com, or the cyrillic URLs that are visually identical, or what have you. It's unlikely to work - a step on the red queen's board - but at least they're thinking about what to do about it. Maybe.

  • Great but... (Score:5, Insightful)

    by otacon ( 445694 ) on Tuesday April 10, 2007 @09:25AM (#18674213)
    People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.

  • How will it protect users from their own idiocy? (Score:5, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Tuesday April 10, 2007 @09:26AM (#18674237) Journal
    People respond to phishes and Nigerian scams and give all their usernames and passwords voluntarily without ever touching their banks or the safe domains. How can banks protect against such users? Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters".

  • Will this really make a difference? (Score:4, Insightful)

    by FredDC ( 1048502 ) on Tuesday April 10, 2007 @09:26AM (#18674243)
    I don't think so...
     
    There will always be idiots, who will fill in their credit card information at visa.safe.ru!

  • Is it useful? (Score:4, Insightful)

    by efence ( 927813 ) on Tuesday April 10, 2007 @09:29AM (#18674275)
    There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective. Introduction of a new TLD is not a replacement for user education.

  • Assumptions (Score:2, Insightful)

    by hack slash ( 1064002 ) on Tuesday April 10, 2007 @09:29AM (#18674281)
    If a .safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a .safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all .safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into .safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.

  • I have a better idea! (Score:3, Funny)

    by 140Mandak262Jamuna ( 970587 ) on Tuesday April 10, 2007 @09:30AM (#18674293) Journal
    Let us create a separate domain for phish hosts! All phishing sites must clearly identify them as phishing sites to get a chance to be listed in that domain. Of course, compliance is voluntary. It makes as much sense as the safe domain for the banks.

  • Not a new idea. (Score:3, Interesting)

    by bigmaddog ( 184845 ) on Tuesday April 10, 2007 @09:30AM (#18674297)
    This sounds a whole lot like RFC #3514 [rfc.net] to me, except on a higher level, which makes the idea at least four years old.

    • White listing vs black listing (Score:2, Informative)

      by Anonymous Coward on Tuesday April 10, 2007 @09:41AM (#18674455)
      It is not the same thing. This proposal calls for whitelisting. In contrast the joke required that bad people blacklist themselves.

      Enumerating badness is a bad idea from a security point of view:
      http://www.ranum.com/security/computer_security/ed itorials/dumb/ [ranum.com]

      Enumerating goodness might work, but raises many issues. Who does it, based on what criteria and how are the criteria enforced?

      Why do people keep demanding the DNS to solve all the problems in the world? It's just an address book, not the solution to world hunger. Oh, maybe that is the next TLD proposal: .endworldhunger

      • Re:White listing vs black listing (Score:2)

        by mike2R ( 721965 ) on Tuesday April 10, 2007 @10:47AM (#18675559)

        Who does it, based on what criteria and how are the criteria enforced?

        I agree that this is the key issue. The answer has to be, *the entity that guarantees the losses if they get it wrong*. If (big if) you can get a workable system based on this, then it will be meaningful. Otherwise it will just be a moneyspinning scam like secuirty certificates.

  • Bad idea (Score:2)

    by ProfessionalCookie ( 673314 ) on Tuesday April 10, 2007 @09:32AM (#18674319) Journal
    Domain names are to easy to fake. That's all. Perhaps a better name system?

  • safe = !safe (Score:2)

    by symes ( 835608 ) on Tuesday April 10, 2007 @09:35AM (#18674369) Journal
    But surely, to the inexperienced, anything can look "safe" e.g. www.urbank.safe [bizarremag.com]. As others have already suggested above, it's better to educate than attempt structural changes to protect the naive.

  • Nice idea but... (Score:3, Informative)

    by JohnnyBigodes ( 609498 ) <morphineNO@SPAMdigitalmente.net> on Tuesday April 10, 2007 @09:36AM (#18674379)
    ... I don't think it will work, at least not how they think.

    Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.

  • Oh God, Not Again! (Score:3, Insightful)

    by user24 ( 854467 ) on Tuesday April 10, 2007 @09:42AM (#18674479)
    Are we really going to have to go through every argument why .xxx was a bad idea, replacing "porn" with "safe" and "perverts" with "hackers"

    quick, someone who knows regex copy the most highly modded comments from here [slashdot.org], here [slashdot.org], here [slashdot.org], here [slashdot.org] and here [slashdot.org], and save us [xkcd.com]!

    • Re:Oh God, Not Again! (Score:2)

      by jfengel ( 409917 ) on Tuesday April 10, 2007 @10:17AM (#18675029) Homepage Journal
      Simply reversing the arguments doesn't work here. The .xxx at most guaranteed that you'd get porn at a .xxx site (and it didn't even really do that). That's something you don't really need; you can verify that a porn site has porn just by looking at it. You could try to decree that all .com sites would now be porn-free, but that's impossible.

      This is the converse: if all .safe sites are indeed safe, you've learned something valuable about the site just from its name. It doesn't matter that there are still safe .com sites; nobody has any interest in purging those.

      So .safe could conceivably be a thing of value. You're basically taking a trusted group to make the judgment and trusting DNS to deliver that judgment to you accurately, both of which will lead to arguments. And you're still trusting users to recognize that .safe is really safe and the variants (safe.phishing.biz) aren't.

      A browser mod would be helpful there; I believe both IE and Firefox now have built-in "probably phishing" detectors. In fact, those probably-phishing detectors could be more useful than a domain name, which is clearly trying to cram a hack on top of DNS. Let the verifiers register the info on some well-known site somewhere, let the phishing tools treat it as a whitelist, and anything too similar but not identical as a clue that it's phishing.

  • This is a great idea, I'm sure it'll work (Score:4, Insightful)

    by mrwiggly ( 34597 ) on Tuesday April 10, 2007 @09:42AM (#18674485)
    <a href="http://phishers.com">click to login to http://mybank.safe/ [mybank.safe] </a>

  • Misleading Top Level Domain (Score:2)

    by TBone ( 5692 ) on Tuesday April 10, 2007 @09:44AM (#18674515) Homepage

    The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?

    No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

    a .SAFE TLD won't make the sites any more safe, and will make them less safe, because people who don't know better will just assume that, because it's a .safe domain, it MUST be safe, otherwise it wouldn't be a .safe site, so they just go on entering all their private personal data into some bogus site.

    .SAFE won't make things more safe, it will make them less, because <SPACEBALLS> Evil will always win, because Good is Dumb </SPACEBALLS>.

    • Re:Misleading Top Level Domain (Score:2)

      by mutube ( 981006 ) on Tuesday April 10, 2007 @10:21AM (#18675089) Homepage

      No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

      The odd thing about domain names is that the "Top Level" domain name is shown at the bottom (a.k.a. the right hand side). This makes it especially easy to create reasonable-looking fake URLs as it removes the ability to read left to right to identify authority.

      Reading an URL like http://www.paypal.com.scammer.cn/ [scammer.cn] without knowledge of the "how it all works" you may assume that this is part of www.paypal.com's website. With the top at the top it becomes, http://cn.scammer.com.paypal.www/ [paypal.www] ...what's the first thing you see?

      Maybe it's just me.

      I'd be interested to know the history of the backward heirarchy (short of it being pulled out of someones backside).

  • .safe will be even more unsafe (Score:3, Insightful)

    by IGnatius T Foobar ( 4328 ) on Tuesday April 10, 2007 @09:47AM (#18674561) Homepage Journal
    The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.

    Dumb idea, game over. Next...

  • ridiculous (Score:2)

    by DaMattster ( 977781 ) on Tuesday April 10, 2007 @09:52AM (#18674635)
    This won't solve a thing. It is trivial to fake headers; apparently the author did not do his homework. I could easily set up a spam spew to send phishing email from say, www.bankofamerica.safe or the like. A better, more practical solution is to use email signing like OpenPGP or GNUPGP. This is much, much harder to fake. See the Wikipedia [wikipedia.org] article subsection Security quality. Bank customers simply obtain the PGP public key from the bank's website and use it to validate any email received. This will put the phishers to bed (at least for a long while) as it will be virtually impossible to fake the PGP signature. The next thing you do is educate the public about email signing and verification. It is not terribly difficult to use and deploy as there are freely available PGP plugins for popular email clients. GPG4Win is a complete installer that contains plugins for Mozilla Thunderbird, Outlook 2003, and Outlook Express. Read about it at http://www.gpg4win.org/ [gpg4win.org].

  • On the face of it... (Score:4, Insightful)

    by Ngarrang ( 1023425 ) on Tuesday April 10, 2007 @09:53AM (#18674651) Journal
    On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.

    We have .gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have .edu for education institutions.

    Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name. .shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect

    There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).

    We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.

    • Re:On the face of it... (Score:3, Insightful)

      by digitalhermit ( 113459 ) on Tuesday April 10, 2007 @10:08AM (#18674903) Homepage
      For the most part, I agree with this. It's funny how DNS is starting to look like the original LDAP recommendations on the name hierarchy. LDAP went from an organization based hierarchy to schemas that started looking at lot like the DNS TLDs. And DNS itself may start looking at lot like how LDAP was. As more companies are becoming international, the idea of arbitrary geographical boundaries to information and yes, commerce, seems somewhat quaint.

  • How does this work? (Score:2)

    by geoff lane ( 93738 ) on Tuesday April 10, 2007 @09:57AM (#18674721)
    Is this supposed to work via some kind of sympathetic magic?

  • Think of the grandparents (Score:2)

    by ObiWanStevobi ( 1030352 ) on Tuesday April 10, 2007 @09:59AM (#18674755) Journal
    I've already got the calls saying "But it said I won a free Ipod." (despite the fact they didn't know what it was but thought it would make a good Christmas present) If they are that trusting of a random pop-up, imagine how easy it would be for anyone with a .safe name to rip them off. I'd have to say think of the grandparents on this one and call it a bad idea. BTW, if you disagree with me, you hate the elderly.

  • Better Idea (Score:2)

    by user24 ( 854467 ) on Tuesday April 10, 2007 @10:00AM (#18674767)
    How about we force everyone to have a .unsafe TLD, so it would be microsoft.com.unsafe, google.com.unsafe

    It would reinforce the idea that !!!NOTHING IS SAFE ONLINE!!!

    I mean, how loud do we have to shout it before people finally get it?!

    Let's try it a few more times:

    HEY USERS!
    NOTHING IS SAFE!
    PEOPLE ARE EVIl!
    THE INTERNET IS A BAD PLACE!
    NOTHING IS SAFE ONLINE!
    NOTHING!!!!! NOT EVEN PAYPAL!!!!
    NOTHING IS SAFE ONLINE!

    LISTEN!

    NOTHING IS SAFE ONLINE!

    c'mon guys, chant with me, perhaps they'll realise if we all chant together

    NOTHING IS SAFE ONLINE!
    NOTHING IS SAFE ONLINE!
    NOTHING IS SAFE ONLINE!

    damn, it's not working.

    I guess people will always be stupid, no matter how many clever people try to stop them.

  • the answer (Score:4, Insightful)

    by CrazyBrett ( 233858 ) on Tuesday April 10, 2007 @10:12AM (#18674975)
    A: Create a new TLD!
    Q: (what was the question again?)

  • The joys of the english language (Score:2)

    by shoptroll ( 544006 ) on Tuesday April 10, 2007 @10:20AM (#18675083)
    Do most people here forget that there's a thing called a safe in most physical banks? You know, the place where they hold the money, the thing the crooks try to crack into?

    Everyone is either taking this way out of context (why should this be used to whitelist sites instead of the .xxx domain or other blacklist approaches?) or there's a lot of funny going on in this topic that no one is picking up on.

    Maybe .vault or .yourmoneygoeshere or .weholdyourmoney would be a lot clearer? Can we also get a .mattress mirror to entice people from the US depression era to use the 'net?

  • Good Idea!?! (Score:2)

    by madsheep ( 984404 ) on Tuesday April 10, 2007 @10:26AM (#18675165) Homepage
    Let me propose something completely different than 95% of the above responses. This is actually not a bad idea, should proper restrictions, criteria, and identity vetting be put in place for requesting institutions. In fact I would go as far to say this is a brilliant idea. The article makes the arguments for it that are more than sufficient IMHO. Now focusing on ".safe" is not so great to me. I believe one of the alternate suggestions, ".bank", is a much better idea.

    Right now, customers have no good way of automatically being able to tell whether or not a bank website belongs to the bank. So a small bank or credit union phishing site is something that has to be researched. If .safe or .sure is locked down, then security companies would have a much better set of assumptions to start with when filtering email and web traffic. Security providers would then be able to build a better security product and users would feel safe online," said Runald.

    Ok who can argue with this? NO, this will not stop poor application coding, XSS, SQL injection, browser bugs, etc. However, it will go a long way for someone to have a pretty good idea as to whether or not the website they are visiting is in fact that of a valid financial institution. NO it won't stop every moron from clicking a link that goes to www.sfk24ksf.cn/sexygirl44/bank.html, but what could stop those people? If everyone is trained that sites with ".bank" are valid/vetted banking sites, then there's a much higher chance they will specifically look for this. Much the same as a ".gov" domains.

    Say what you want but this is a decent idea. Most of the above posts are just bizarre scenarios and mostly dismissive without real cause.

    • Re:Good Idea!?! (Score:2)

      by mutube ( 981006 ) on Tuesday April 10, 2007 @10:45AM (#18675511) Homepage

      Let me propose something completely different than 95% of the above responses. This is actually not a bad idea, should proper restrictions, criteria, and identity vetting be put in place for requesting institutions. In fact I would go as far to say this is a brilliant idea. The article makes the arguments for it that are more than sufficient IMHO. Now focusing on ".safe" is not so great to me. I believe one of the alternate suggestions, ".bank", is a much better idea.

      I like the .bank idea, but I...

      ...tried it a few times and ended up on my side.
      ...I have no interest in watercourses.
      ...am not very good at billiards.
      ...have central heating and therefore no requirement for long burning coals.

  • Enough to make you wonder why we have TLDs (Score:2)

    by jimicus ( 737525 ) on Tuesday April 10, 2007 @10:34AM (#18675301)
    I know the whole point of DNS is that it's hierarchical. But with all these suggestions like ".safe for financial institutions, .xxx for porn" combined with countries with "desirable" ccTLDs selling domains (Don't get me wrong, it's their domain space and they can do what they wish. But I never knew so many English-language television companies were based out of Tuvalu), there seems little point in having a TLD-based hierarchy at all.

    You may as well allow any organisation to register anything as a TLD. TBH, I think the only reason that hasn't been allowed is because the domain typo-squatting problem would be even sillier than it is today, placing a much higher level of stress on the top-level DNS servers.

  • F-Secure better at PR than Security (Score:2)

    by xoyoyo ( 949672 ) on Tuesday April 10, 2007 @10:36AM (#18675341)
    F-Secure have a particular knack for the headline grabbing initiative don't they now? They spent considerable time and effort a few years ago warning us of the virus epidemic that would engulf mobile phones. To date we've still only seen one proof of concept virus, and that required the user to physically install it.

    Meanwhile their security software is insecure: http://www.heise-security.co.uk/news/87063 [heise-security.co.uk] - leaving a buffer overflow in your flagship security suite is a tad dumb.

    F-Secure press releases should be regarded as denial of service attacks as they stop the flow of sensible information about security.

  • I like it (Score:2)

    by samael ( 12612 ) * <Andrew@Ducker.org.uk> on Tuesday April 10, 2007 @10:41AM (#18675443) Homepage
    I'd make it very hard to get a domain there, and require a big wodge of money to be deposited as a security.

    It's all very well to say "But users should be ultra-alert at all times, check the IP address of the website they've gone to, close all of their curtains before typing in their password and wear a tinfoil hat before thinking of their mother's maiden name." but it's not actually very useful in the real world.

    Users suck - we need to design systems to ameliorate their suckiness, not demand changes in human nature.

  • How About .safe For Children (Score:2)

    by tabdelgawad ( 590061 ) on Tuesday April 10, 2007 @10:52AM (#18675663)
    From reading the headline, I thought this was the converse of a .xxx domain, which actually might not be such a bad idea. Rather than try to decide what should and should not go into a .xxx domain and have to worry about censorship, you use the .safe domain voluntarily for kid stuff and offer parents/schools software to restrict kid browsing. And it would hopefully limit the will-somebody-please-think-of-the-children complaints. There would be little danger of censorship since it would be difficult to justify limiting adults to using it.

    I'm sure it's not a new idea, and perhaps I'm missing some of its pitfalls ...

  • my site is bigbank.safe.paynoattentiontothis.com (Score:2)

    by vinn01 ( 178295 ) on Tuesday April 10, 2007 @10:58AM (#18675751)

    How are they going to get people to read all the way to the end of a domain name?

    Subdomain names make a joke out of this idea of a ".safe" TLD.

  • Brilliant ... BUT (Score:2)

    by Aging_Newbie ( 16932 ) on Tuesday April 10, 2007 @11:08AM (#18675899)
    Most of the phishing scams I have seen use either the IP address or the domain of the phishing webpage itself. Having the banks use .safe would be as effective as having banks not use their IP addresses, .nl, .kr, .ru, and a few other domains that phishers use. People already give away their information to totally bogus addresses, so how does using .safe make one iota of difference?

  • been there done that (Score:2)

    by Trailer Trash ( 60756 ) on Tuesday April 10, 2007 @11:08AM (#18675903) Homepage
    Ironically, this is *exactly* what secure certificates were supposed to do, remember? Prove who you are to verisign and they'll give you a certificate so that anybody who comes to your site can see that verisign has verified that it's you.

    Such a system will serve *only* to enrich whoever is the verifier.

    Period.

  • Saner than usual (Score:2)

    by Craig Ringer ( 302899 ) on Tuesday April 10, 2007 @11:22AM (#18676121) Homepage Journal

    Unlike most special purpose new TLD proposals, this isn't immediately and obviously blatantly stupid.

    • It's limited in scope;
    • It has an access whitelist or admission requirements, rather than the usual definition of what's not admissable with the hope it'll politely stay away; and
    • It should be reasonably protected against spoofing in that most sites are already using SSL to (help) protect against MiTM attacks, DNS compromise, etc.

    However, it may introduce a false sense of security when faced with a server compromise, client-side spoofing (URL bar replacement, etc) or client compromise (hooray for spyware!).

    Nonetheless, this is about 1/0 times smarter than the .xxx TLD, the problems with which were astounding given the proposed "benefits" of it.

  • Yes, what a great plan... (Score:2)

    by CXI ( 46706 ) on Tuesday April 10, 2007 @11:25AM (#18676175) Homepage
    Because you just know that www.mybank.safe.ru isn't going to fool ANYONE because after all is SAYS "safe" in the URL! Wait, did I just contradict myself? This internet is hard.

  • As good an idea as RFC 3514 (Score:2)

    by Todd Knarr ( 15451 ) on Tuesday April 10, 2007 @11:25AM (#18676187) Homepage

    This is about as good an idea as RFC 3514 [rfc-editor.org] describing the Evil Bit. Like 3514, it'll essentially guard you against unwitting interaction with the people you don't have to worry about unwitting interactions with. The bad guys will, of course, ignore the rules and hijack .safe names to host decidedly unsafe content. But we knew this.

  • what ever happened to the internet death penalty? (Score:3, Interesting)

    by Almost-Retired ( 637760 ) on Tuesday April 10, 2007 @03:36PM (#18680491) Homepage
    I see by the article that several chinese ISP's were asked to take down phishing sites, but refused.

    To me that's the time to apply the internt death penalty, where the root dns servers refuse to give out the addresses of the offending domains.

    We did it to korea a couple of times, with temporarily mixed results, but IMO the takedown (I think it was only 3 days) wasn't of sufficient duration to really get their attention.

    --
    Cheers, Gene
    "There are four boxes to be used in defense of liberty:
      soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author)
    Message from Our Sponsor on ttyTV at 13:58 ...

Slashdot Top Deals

Eureka! -- Archimedes

Close