Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/10/2012
04:04 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New .secure Internet Domain On Tap

'Safe neighborhood' top-level domain will require SSL, DNSSEC, and other security measures for websites

A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured.

It's basically a "safe neighborhood" on the Net, its creators say, and is one of the first next-generation TLDs to emerge from the new Internet Corporation for Assigned Names and Numbers (ICANN) program that opens up the TLDs beyond the 21 existing global domains that include .com, .org, .net, and .edu. Artemis Internet Inc., a wholly owned subsidiary of NCC Group plc, has applied with ICANN for the new .secure domain in the competition for thousands of new TLDs aimed at better classifying companies and people by industry, interest, or location.

"'Effortless security' is our tagline," says Alex Stamos, CTO at Artemis. "Right now, when you go to .com, you have to look for five different visual clues to figure out what's going on" security-wise, Stamos says. "If you type .secure, you're telling the server or organization that you want to communicate with that you want to be safe and expect them to be as safe as possible. All of that security stuff is taken care of for you."

Stamos expects financial institutions and other security-sensitive businesses to adopt the new domain for their pages that handle transactions, for example, or sensitive data. "We're not trying to tell people to throw away your .com. You can create a namespace where you can do more secure things, so if you are a bank that runs hundreds of websites and have some website for users who do billion-dollar transactions," that site could go to the .secure domain, he says.

The .secure domain, which still must be approved by ICANN, will verify domain applicants' identities and continue to authenticate them if they acquire a domain. It requires mandatory DNSSEC-signing of every zone, the use of TLS (SSL) for all Web sessions, and DKIM and TLS for SMTP email. Artemis also will enforce its acceptable use and security control policies, and randomly scan subdomains for adherence to those policies, as well as for any malicious content, such as malware or phishing.

Stamos says verification will include a vetted physical address and a signed paper contract, as well as two-factor authentication. "No shenanigans are allowed ... no cybersquatting, phishing, or using words like 'bank' that sound legitimate" but are being abused by non-banks, for example, he says. "Every application will be approved or rejected by a full-time employee of our company."

Why a security-named domain? "We saw the Internet was in a period of malleability: DNSSEC is being deployed, IPv6 transition is [under way], and in the middle of all of that, this TLD [program] is happening. The Internet is now wet concrete again and we want to make a positive impact," Stamos says. "We wanted to take that opportunity to create new namespaces where old rules don't apply. You have to opt in and agree to [our] rules if you want to join."

[ Half of IT security experts either don't know what DNSSEC is or don't understand it very well. See DNSSEC Finally Comes To .com, But Secure DNS Still Has A Long Way To Go. ]

But critics say there shouldn't be a need for a separate, more secure domain space. Ideally, all sites would be secure. "In principle, the safe neighborhood idea is not without merit, but I would like to see it implemented with any domain name. With that and a commitment from browser vendors to support a special secure mode of operation, it just might work," says Ivan Ristic, director of engineering for Qualys. Ristic says it would require a large amount of collaboration among the affected parties because the Web ecosystem "is so diverse."

And there are a few big obstacles with establishing this new, more secure TLD, Ristic says, starting with existing branding. "The main problems I see is that companies have a significant branding investment in their existing domain names, and that they will not want to move elsewhere without good reason," he says. The best reason to go there would be "perceived security" for their customers, but even that is a tricky proposition, according to Ristic.

"But are people really going to understand what .secure provides assuming, for a moment, it does provide security? For example, we have EV [extended validation SSL] certificates right now, and people/consumers generally don't care," Ristic says.

And .secure will only be able to control so much about a website's security. "It does solve one problem: some bastard on a WiFi hotspot trying to man-in-the-middle your SSL connection. But it doesn't make a bank site more secure. It doesn't stop SQL injection," says Robert Graham, CEO of Errata Security.

Qualys' Ristic echoed the same concerns. "If there's a XSS problem, .secure sites are going to be equally vulnerable," he says.

Errata Security's Graham says the real driver of the new secure TLD will be the browser vendors. If Firefox and Chrome, for example, were to get on board, it would fly, he says. "This would be one step toward tying the SSL key to the DNS key. What everyone wants is for SSL to be based on the DNSSEC key," Graham says.

Meanwhile, Artemis is working with other as-yet unnamed Internet companies under the auspices of the Domain Policy Working Group, which is creating a Domain Policy Framework specification that spells out how browsers and mail servers would implement .secure's security functions, for instance. The final spec will be submitted to the Internet Engineering Task Force (IETF).

Stamos expects ICANN to sign off on .secure, and for the new TLD to be up and running June or July 2013. "We are building something for 50 years [out]. My goal is for my grandchildren and great-grandchildren to be using .secure domains," he says. The initial target customers will be financial institutions, social media sites, technology companies, and healthcare organizations, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Securbob
50%
50%
Securbob,
User Rank: Apprentice
5/12/2012 | 8:03:30 PM
re: New .secure Internet Domain On Tap
-What type of 2FA would be implemented? I've noticed many of the global cloud providers moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account. Definitely think this is the way of the future!
Steeltemplar
50%
50%
Steeltemplar,
User Rank: Apprentice
5/11/2012 | 2:50:04 PM
re: New .secure Internet Domain On Tap
I think this is a good concept as long as it is well-managed.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.