Could the .secure domain make the Internet safer?

Security firm argues that by imposing meaningful standards, websites will gravitate to validated domain — not everyone agrees

Most calls for new TLD (top-level domain) names seem like little more than real estate developers proposing the creation of entire new continents just to lease the land. The creation of .name, .pro, .xxx, and even .biz, which has existed for more than 10 years, were arguably driven more by profiteering than need.

At first blush, the push by security technology firm Artemis for the .secure TLD could be similar. If successful, Artemis will manage the new top-level domain, charging companies that want to be part of the security-focused domain network.

Yet, unlike .name or .xxx, .secure has a real function. In essence, it’s a logo program: A company with a .secure server will offer mature security technologies for locking down transactions between the user and its service. Artemis will require .secure holders to use stronger verification techniques to establish the identities of customers and to deploy certain security technologies, and it will regularly check to make sure the company is complying, says Alex Stamos, Artemis’ CTO.

Most technologies for securing the Internet are not easy to use. Currently, companies have no convincing incentives to undergo the travails of implementing technologies such as the DNSSec (domain-name security extensions) or CSP (content security policy). And in cases where there’s an easy-to-use security technology, such as HTTPS, many companies do not offer the capability. By contrast, a company using .secure will have to use DNSSec to sign its zone, TLS (transport layer security) for all HTTP sessions, domain keys to validate email infrastructure, and opportunistic encryption for email content.

« Explaining to my father-in-law, to take an example, why we need HTTPS is crazy. Instead, if you are a .secure domain, you are guaranteeing that you will provide certain security technologies, » Stamos says.

Stamos believes the time is right because with the push for DNSSec and awareness of significant attacks on companies, companies are more willing than ever to implement security if there is some payoff. Contrast that motivation to what’s gone on with the controversial .xxx domain, which essentially segregates pornography from the rest of the Internet — not exactly what that industry wants.

Not everyone agrees that the .secure domain is needed. Having more TLD names means more work for companies that are trying to secure the DNS infrastructure, says Andrew Fried, an independent security consultant who regularly works on DNS issues. Worse, many users may feel more secure, but attackers will immediately focus on breaking the system. « The problem is that the bad guys are going to find a way to abuse it, » he says. « When I hear about a new top-level domain, the first thing I think about is how much harder it will be » to find the bad actors.

Any security technology that promises more than it delivers will give the users a false sense of security, he argues, adding that will be worse than if there were no .secure domain at all.

Source: infoworld.com

  • Post category:calendrier