F-Secure Calls for '.safe' TLD 243
Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."
Maybe its just me.. (Score:3, Insightful)
Re:Maybe its just me.. (Score:4, Interesting)
Re:Maybe its just me.. (Score:5, Funny)
So once 95% of all websites decide that they want to be safe, how do organise the namespace? How about
Then all we do is turn off the
Re:Maybe its just me.. (Score:5, Funny)
That should be easy:
Re:Maybe its just me.. (Score:2)
Durex would want the
Re:Maybe its just me.. (Score:5, Funny)
So financial institutions get it, but "we're not a bank" Paypal wouldn't.
That's a shiv I would love to see paypal get.
Re:Maybe its just me.. (Score:2, Interesting)
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:2, Funny)
If my bank was as bad as PayPal, I'd be keeping my money in my mattress.
So, yes.
Re:Maybe its just me.. (Score:3, Funny)
I'm going to be the first to register un.safe and claim that it is a "safe" website
Re:Maybe its just me.. (Score:5, Funny)
Re:Maybe its just me.. (Score:5, Funny)
Re:.terror? what about .com? (Score:2)
Re:.terror? what about .com? (Score:3, Interesting)
Part of me misses the enforced rules bit, as now you can't tell where a website actually originates for. Anybody remember all the
Not only that... (Score:5, Insightful)
What next? Will someone build a ship and claim it's unsinkable? Oh wait...
Yep, and it will encourage outright lies. (Score:2)
http://finalizetoday.com/secureapp.html [finalizetoday.com]
Notice how they call their form "secureapp.html" in order to give someone a false sense of security so they can go ahead and fill out the form with their social security number. Then submit it to an unencrypted action.
A
Re:Maybe its just me.. (Score:2)
"Must be safe, it's a
I can see a reason for a
When I was young and full of myself, I used to set up my security systems to "talk smack" when I foiled cracking attempts...Took me only a very little amount of time to realize that this sent the wrong message, because when you frame it in the terms of a challenge, the crackers dust off their A game to make you eat your words.
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:2)
I'm beginning to see the TLD system as more of an inconvenient waste of time thanks to initiatives like this. It will challenge hackers and make the average Net user even more gullible and trusting, thinking the .safe tld somehow confers mystical powers on the website.
Domains are easier to remember than IP addresses, but in that convenience lurks the bugaboos we see now. The average user clicks links blindly -- he/she has no idea that the URL beneath the anchor tag may not be going where they think it is. They are certainly not savvy enough to check before they click, hence the ease of phishing. I think it's safe to say ICANN is starting to make things worse, not better.
Of course it is (Score:2)
Re:Maybe its just me.. (Score:2, Insightful)
Re:Maybe its just me.. (Score:4, Insightful)
Also,
Re:Maybe its just me.. (Score:4, Informative)
Bank regulations aren't about little-guy money transfers, and wouldn't help in virtually any of the "omg paypal skrooed me" situations (which, I might note, I've never actually seen be anything other than the fault of one of the two end-users. Yes, PayPal freezes accounts too easily, but frankly, if you can't tolerate a several-day money lag, you shouldn't be transacting online at all.) Bank regulations are about the investment of held capital and so forth, to prevent messes like the 1914 commodity crash or the 1980s savings and loan scandal. Say what you will about PayPal, but their back-end investments are safe, conservative and shrewd. No bank regulations would affect PayPal in any way that the end users would find significant, other than to increase existing rates (not by enough to affect most transactions, but it would kill the micropayment system dead.)
The next time you go complaining about regulations, maybe you should name the specific regulation you want. That way, when people read what you say, they won't do what I did, and assume you're some clueless whiner who just wants to repeat what everyone else says to sound smart, when bitching about an online business that they heard screwed a friend of a friend of a friend.
Of course, that'd require knowing what you were talking about.
Re:Maybe its just me.. (Score:5, Interesting)
Who will accredit third world banks such as the FIRST BANK OF JOSEPH ENTBE OF NIGERIA?
Re:Maybe its just me.. (Score:3, Funny)
*grin*
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:3, Funny)
www.too.legit.to.quit
and
www.hammer.time
Re:Maybe its just me.. (Score:2)
I'm actually mystified as to why UK banks don't use the .plc.uk domain, which is reserved for publicly listed companies.
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:2)
Because there aren't many publicly listed phishers.
Re:Maybe its just me.. (Score:2)
Re:Maybe its just me.. (Score:2)
True, but user education is a major part of phishing prevention, and educating users to look for the .plc.uk should be a relatively simple task. It's also a relatively simple task to redirect genuinebank.co.uk to genuinebank.plc.uk.
Also, although you can't set up a phishing site at, say, bankofscotland.co.uk, you could conceivably set one up at bankofscotalnd.co.uk, which would be easy to miss at a glance. You wouldn't be able to set up bankofscotalnd.plc.uk though, so by looking for the .plc.uk domain (as opposed to subtle typos) you can be sure that you're at the genuine site.
Re:Maybe its just me.. (Score:2)
Maybe
.safe (Score:3, Funny)
(yes, I'm well aware that interpretation of the story is incorrect).
Re:.safe (Score:2)
As a matter of principle... (Score:5, Insightful)
Re:As a matter of principle... (Score:3, Insightful)
Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.
The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.
Re:As a matter of principle... (Score:2)
I can see this working already
The tools are already in existence to secure communications, and they are already in use. The flaw in the system is not the domain names or secure connections but the users who are deceived into accessing other sites and to give up personal details.
Education is the way to secure users, that and banks and other entities that really require security to actually employing some decent security.
What's that thing again? You're only secure is you have two out of three of the following; Something you know, something you have, and something you are. Many financial institutions continue to base their entire security on just one of those things, of course this is made a mockery of with the aid of a little social engineering.
Re:As a matter of principle... (Score:2)
http :
It's nice to see that slashdot takes care of that anyway.
Re:As a matter of principle... (Score:3, Informative)
This has already happened: Hacked Chinese Bank Server Phishes for US Banks [slashdot.org].
Don't believe self-made tags. (Score:2)
Then there's the girls who wear t-shirts that say "Cutie". If you really are a "cutie", you don't have to wear a label to tell us that you are. It therfore follows that the people who wear those shirts are roughly as "cute" as politicians are trustworthy.
Re:Don't believe self-made tags. (Score:2)
Re:As a matter of principle... (Score:2)
Not going to help (Score:3, Insightful)
Re:Not going to help (Score:4, Funny)
Likely won't make a lick of difference though.
-nB
Re:Not going to help (Score:2)
Because you know (Score:5, Insightful)
Re:Because you know (Score:2)
Countdown... (Score:5, Insightful)
A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.
We've all heard how some corporations lose several thousands of records of personal data. What does that
Re:Countdown... (Score:2)
Re:Countdown... (Score:2)
Re:Countdown... (Score:2)
What does that
You've half-answered yourself - savvy users understand about phishing in the first place, know about password security, etc etc. It's the unsavvy users that are being fooled.
While I appreciate you're picking on the word 'safe', you're picking on it for the wrong reason. People will still be caught out by www.bank.safe.banking.login/login.asp instead of www.bank.safe/banking/login/login.asp; but that's not what
Great but... (Score:5, Insightful)
Re:Great but... (Score:3, Insightful)
How will it protect users from their own idiocy? (Score:5, Insightful)
Will this really make a difference? (Score:4, Insightful)
There will always be idiots, who will fill in their credit card information at visa.safe.ru!
Is it useful? (Score:4, Insightful)
Re:Is it useful? (Score:2)
That may hae a better chance of drawing he users attention to where theya re acttually going.
Assumptions (Score:2, Insightful)
Re:Assumptions (Score:3, Insightful)
They would need to implement some tough rules for who can register them for it to have a chance of working. Smething I don't think they have the backbone to do.
All this assumes people actually look at where a link goes before clicking it.
I have a better idea! (Score:3, Funny)
Not a new idea. (Score:3, Interesting)
White listing vs black listing (Score:2, Informative)
Enumerating badness is a bad idea from a security point of view:
http://www.ranum.com/security/computer_security/e
Enumerating goodness might work, but raises many issues. Who does it, based on what criteria and how are the criteria enforced?
Why do people keep demanding the DNS to solve all the problems in the world? It's just an address book, not the solution to world hunger. Oh, maybe that is the next TLD proposal:
Re:White listing vs black listing (Score:2)
I agree that this is the key issue. The answer has to be, *the entity that guarantees the losses if they get it wrong*. If (big if) you can get a workable system based on this, then it will be meaningful. Otherwise it will just be a moneyspinning scam like secuirty certificates.
Bad idea (Score:2)
safe = !safe (Score:2)
Nice idea but... (Score:3, Informative)
Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.
Re:Nice idea but... (Score:2)
Maybe picking ".reg" or something like it might be more realistic, so to say.
Re:Nice idea but... (Score:2)
Oh God, Not Again! (Score:3, Insightful)
quick, someone who knows regex copy the most highly modded comments from here [slashdot.org], here [slashdot.org], here [slashdot.org], here [slashdot.org] and here [slashdot.org], and save us [xkcd.com]!
Re:Oh God, Not Again! (Score:2)
This is the converse: if all
So
A browser mod would be helpful there; I believe both IE and Firefox now have built-in "probably phishing" detectors. In fact, those probably-phishing detectors could be more useful than a domain name, which is clearly trying to cram a hack on top of DNS. Let the verifiers register the info on some well-known site somewhere, let the phishing tools treat it as a whitelist, and anything too similar but not identical as a clue that it's phishing.
This is a great idea, I'm sure it'll work (Score:4, Insightful)
Misleading Top Level Domain (Score:2)
The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?
No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.
a .SAFE TLD won't make the sites any more safe, and will make them less safe, because people who don't know better will just assume that, because it's a .safe domain, it MUST be safe, otherwise it wouldn't be a .safe site, so they just go on entering all their private personal data into some bogus site.
.SAFE won't make things more safe, it will make them less, because <SPACEBALLS> Evil will always win, because Good is Dumb </SPACEBALLS>.
Re:Misleading Top Level Domain (Score:2)
The odd thing about domain names is that the "Top Level" domain name is shown at the bottom (a.k.a. the right hand side). This makes it especially easy to create reasonable-looking fake URLs as it removes the ability to read left to right to identify authority.
Reading an URL like http://www.paypal.com.scammer.cn/ [scammer.cn] without knowledge of the "how it all works" you may assume that this is part of www.paypal.com's website. With the top at the top it becomes, http://cn.scammer.com.paypal.www/ [paypal.www]
Maybe it's just me.
I'd be interested to know the history of the backward heirarchy (short of it being pulled out of someones backside).
.safe will be even more unsafe (Score:3, Insightful)
Dumb idea, game over. Next...
ridiculous (Score:2)
On the face of it... (Score:4, Insightful)
We have
Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name.
There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).
We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.
Re:On the face of it... (Score:3, Insightful)
How does this work? (Score:2)
Think of the grandparents (Score:2)
Better Idea (Score:2)
It would reinforce the idea that !!!NOTHING IS SAFE ONLINE!!!
I mean, how loud do we have to shout it before people finally get it?!
Let's try it a few more times:
HEY USERS!
NOTHING IS SAFE!
PEOPLE ARE EVIl!
THE INTERNET IS A BAD PLACE!
NOTHING IS SAFE ONLINE!
NOTHING!!!!! NOT EVEN PAYPAL!!!!
NOTHING IS SAFE ONLINE!
LISTEN!
NOTHING IS SAFE ONLINE!
c'mon guys, chant with me, perhaps they'll realise if we all chant together
NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!
damn, it's not working.
I guess people will always be stupid, no matter how many clever people try to stop them.
the answer (Score:4, Insightful)
Q: (what was the question again?)
The joys of the english language (Score:2)
Everyone is either taking this way out of context (why should this be used to whitelist sites instead of the
Maybe
Good Idea!?! (Score:2)
Ok who can argue with this? NO, this will not stop poor application coding, XSS, SQL injection, browser bugs, etc. However, it will go a long way for someone to have a pretty good idea as to whether or not the website they are visiting is in fact that of a valid financial institution. NO it won't stop every moron from clicking a link that goes to www.sfk24ksf.cn/sexygirl44/bank.html, but what could stop those people? If everyone is trained that sites with ".bank" are valid/vetted banking sites, then there's a much higher chance they will specifically look for this. Much the same as a ".gov" domains.
Say what you want but this is a decent idea. Most of the above posts are just bizarre scenarios and mostly dismissive without real cause.
Re:Good Idea!?! (Score:2)
I like the .bank idea, but I...
...tried it a few times and ended up on my side.
...I have no interest in watercourses.
...am not very good at billiards.
...have central heating and therefore no requirement for long burning coals.
Enough to make you wonder why we have TLDs (Score:2)
You may as well allow any organisation to register anything as a TLD. TBH, I think the only reason that hasn't been allowed is because the domain typo-squatting problem would be even sillier than it is today, placing a much higher level of stress on the top-level DNS servers.
F-Secure better at PR than Security (Score:2)
Meanwhile their security software is insecure: http://www.heise-security.co.uk/news/87063 [heise-security.co.uk] - leaving a buffer overflow in your flagship security suite is a tad dumb.
F-Secure press releases should be regarded as denial of service attacks as they stop the flow of sensible information about security.
I like it (Score:2)
It's all very well to say "But users should be ultra-alert at all times, check the IP address of the website they've gone to, close all of their curtains before typing in their password and wear a tinfoil hat before thinking of their mother's maiden name." but it's not actually very useful in the real world.
Users suck - we need to design systems to ameliorate their suckiness, not demand changes in human nature.
How About .safe For Children (Score:2)
I'm sure it's not a new idea, and perhaps I'm missing some of its pitfalls
my site is bigbank.safe.paynoattentiontothis.com (Score:2)
How are they going to get people to read all the way to the end of a domain name?
Subdomain names make a joke out of this idea of a ".safe" TLD.
Brilliant ... BUT (Score:2)
been there done that (Score:2)
Such a system will serve *only* to enrich whoever is the verifier.
Period.
Saner than usual (Score:2)
Unlike most special purpose new TLD proposals, this isn't immediately and obviously blatantly stupid.
However, it may introduce a false sense of security when faced with a server compromise, client-side spoofing (URL bar replacement, etc) or client compromise (hooray for spyware!).
Nonetheless, this is about 1/0 times smarter than the .xxx TLD, the problems with which were astounding given the proposed "benefits" of it.
Yes, what a great plan... (Score:2)
As good an idea as RFC 3514 (Score:2)
This is about as good an idea as RFC 3514 [rfc-editor.org] describing the Evil Bit. Like 3514, it'll essentially guard you against unwitting interaction with the people you don't have to worry about unwitting interactions with. The bad guys will, of course, ignore the rules and hijack .safe names to host decidedly unsafe content. But we knew this.
what ever happened to the internet death penalty? (Score:3, Interesting)
To me that's the time to apply the internt death penalty, where the root dns servers refuse to give out the addresses of the offending domains.
We did it to korea a couple of times, with temporarily mixed results, but IMO the takedown (I think it was only 3 days) wasn't of sufficient duration to really get their attention.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Message from Our Sponsor on ttyTV at 13:58
Dpends, i (Score:2)
Re:Premium (Score:2)
Nothing. Or to be more exact, nothing on top of the already existing mechanisms. The verification mechanisms are already in place. Joe Bloggs cannot get a SWIFT address or a Federal Reserve deposit insurance. Joe Bloggs cannot register himself as a bank. All you have is to convince the relevant institutions in each participating country to participate in the approval process.
Not that it will make any difference as the loser will continue clicking on links sent to them in email.
Re:Pardon me, but... (Score:2)