Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:04 PM
Connect Directly

New .secure Internet Domain On Tap

'Safe neighborhood' top-level domain will require SSL, DNSSEC, and other security measures for websites

A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured.

It's basically a "safe neighborhood" on the Net, its creators say, and is one of the first next-generation TLDs to emerge from the new Internet Corporation for Assigned Names and Numbers (ICANN) program that opens up the TLDs beyond the 21 existing global domains that include .com, .org, .net, and .edu. Artemis Internet Inc., a wholly owned subsidiary of NCC Group plc, has applied with ICANN for the new .secure domain in the competition for thousands of new TLDs aimed at better classifying companies and people by industry, interest, or location.

"'Effortless security' is our tagline," says Alex Stamos, CTO at Artemis. "Right now, when you go to .com, you have to look for five different visual clues to figure out what's going on" security-wise, Stamos says. "If you type .secure, you're telling the server or organization that you want to communicate with that you want to be safe and expect them to be as safe as possible. All of that security stuff is taken care of for you."

Stamos expects financial institutions and other security-sensitive businesses to adopt the new domain for their pages that handle transactions, for example, or sensitive data. "We're not trying to tell people to throw away your .com. You can create a namespace where you can do more secure things, so if you are a bank that runs hundreds of websites and have some website for users who do billion-dollar transactions," that site could go to the .secure domain, he says.

The .secure domain, which still must be approved by ICANN, will verify domain applicants' identities and continue to authenticate them if they acquire a domain. It requires mandatory DNSSEC-signing of every zone, the use of TLS (SSL) for all Web sessions, and DKIM and TLS for SMTP email. Artemis also will enforce its acceptable use and security control policies, and randomly scan subdomains for adherence to those policies, as well as for any malicious content, such as malware or phishing.

Stamos says verification will include a vetted physical address and a signed paper contract, as well as two-factor authentication. "No shenanigans are allowed ... no cybersquatting, phishing, or using words like 'bank' that sound legitimate" but are being abused by non-banks, for example, he says. "Every application will be approved or rejected by a full-time employee of our company."

Why a security-named domain? "We saw the Internet was in a period of malleability: DNSSEC is being deployed, IPv6 transition is [under way], and in the middle of all of that, this TLD [program] is happening. The Internet is now wet concrete again and we want to make a positive impact," Stamos says. "We wanted to take that opportunity to create new namespaces where old rules don't apply. You have to opt in and agree to [our] rules if you want to join."

[ Half of IT security experts either don't know what DNSSEC is or don't understand it very well. See DNSSEC Finally Comes To .com, But Secure DNS Still Has A Long Way To Go. ]

But critics say there shouldn't be a need for a separate, more secure domain space. Ideally, all sites would be secure. "In principle, the safe neighborhood idea is not without merit, but I would like to see it implemented with any domain name. With that and a commitment from browser vendors to support a special secure mode of operation, it just might work," says Ivan Ristic, director of engineering for Qualys. Ristic says it would require a large amount of collaboration among the affected parties because the Web ecosystem "is so diverse."

And there are a few big obstacles with establishing this new, more secure TLD, Ristic says, starting with existing branding. "The main problems I see is that companies have a significant branding investment in their existing domain names, and that they will not want to move elsewhere without good reason," he says. The best reason to go there would be "perceived security" for their customers, but even that is a tricky proposition, according to Ristic.

"But are people really going to understand what .secure provides assuming, for a moment, it does provide security? For example, we have EV [extended validation SSL] certificates right now, and people/consumers generally don't care," Ristic says.

And .secure will only be able to control so much about a website's security. "It does solve one problem: some bastard on a WiFi hotspot trying to man-in-the-middle your SSL connection. But it doesn't make a bank site more secure. It doesn't stop SQL injection," says Robert Graham, CEO of Errata Security.

Qualys' Ristic echoed the same concerns. "If there's a XSS problem, .secure sites are going to be equally vulnerable," he says.

Errata Security's Graham says the real driver of the new secure TLD will be the browser vendors. If Firefox and Chrome, for example, were to get on board, it would fly, he says. "This would be one step toward tying the SSL key to the DNS key. What everyone wants is for SSL to be based on the DNSSEC key," Graham says.

Meanwhile, Artemis is working with other as-yet unnamed Internet companies under the auspices of the Domain Policy Working Group, which is creating a Domain Policy Framework specification that spells out how browsers and mail servers would implement .secure's security functions, for instance. The final spec will be submitted to the Internet Engineering Task Force (IETF).

Stamos expects ICANN to sign off on .secure, and for the new TLD to be up and running June or July 2013. "We are building something for 50 years [out]. My goal is for my grandchildren and great-grandchildren to be using .secure domains," he says. The initial target customers will be financial institutions, social media sites, technology companies, and healthcare organizations, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2012 | 8:03:30 PM
re: New .secure Internet Domain On Tap
-What type of 2FA would be implemented? I've noticed many of the global cloud providers moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account. Definitely think this is the way of the future!
User Rank: Apprentice
5/11/2012 | 2:50:04 PM
re: New .secure Internet Domain On Tap
I think this is a good concept as long as it is well-managed.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.