Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/17/2012
06:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Selling A Secure Internet Domain

PayPal among organizations invited to help shape security protocol for .secure that also can be used in existing domains

PayPal is among the as-yet unnamed organizations invited to join a new working group that ultimately will build the framework for the proposed .secure top-level Internet domain that also can be used in any existing domain as well.

The new .secure TLD, which was announced earlier this month, will include fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. It has been billed as a "safe neighborhood" on the Internet, and is one of the first next-generation TLDs to emerge from the new Internet Corporation for Assigned Names and Numbers (ICANN) program that opens up the TLDs beyond the 21 existing global domains that include .com, .org, .net, and .edu. Artemis Internet Inc., a wholly owned subsidiary of NCC Group plc, has applied with ICANN for the new .secure domain in the competition for thousands of new TLDs aimed at better classifying companies and people by industry, interest, or location.

If the new domain takes off, it could alter the way Web domains are secured, as well as what users see when they enter a secured site. Security experts say the initiative has some big hurdles to clear first, however, and much of it involves logistics and not necessarily technology.

It's unclear whether PayPal will definitely participate in the Domain Policy Working Group, which was formed this month to build a framework for the security standards that will be required of the new secure TLD, and submit the specifications to the Internet Engineering Task Force (IETF).

But a blog post last week by a PayPal risk management professional appeared supportive of the initiative. Brad Hill, a member of PayPal's risk management group, said in the Information Risk Management blog that his company had been invited by .secure TLD creator Artemis to participate in the Domain Policy Working Group.

"We have identified the need for and advocated uniform security policy frameworks to address Web security," Hill blogged. "As such, we support the opportunities presented by the Domain Policy Framework (DPF) for broader adoption of these and other security technologies."

But Hill told Dark Reading that he is unable to discuss the .secure and Domain Policy Working Group efforts, and noted that The Security Practice blog is not an official PayPal communications channel.

"We are encouraged by the effort to create user-recognizable spaces on the Internet where uniform and modern best practices for security and safety will be enforced. We also look forward to a time when domain registrants will be held to high standards for truthful and accurate self-identification, trustworthy operation, and protection of users," Hill said in his post. "As the viability and benefits of such an approach are demonstrated in parts of the new gTLD space, we hope this work will help accelerate efforts to enable a safer Internet everywhere, for all users."

Overall, security experts have welcomed the .secure concept in the spirit of improving Internet security rather than solely finding ways to break it. "I applaud anything anyone can do that's something constructive," says Richard Bejtlich, CSO at Mandiant.

The good news is that the new domain doesn't require tearing apart existing infrastructure. "We can't make the Web any more secure unless we break convention and backward-compatibility, and no one is willing to do that. The benefit of .secure is that you don't have to start over ... they're not boiling the ocean," says Jeremiah Grossman, CTO and founder of WhiteHat Security. The TLD can make a difference by mandating that certain security measures be on by default in browsers and websites -- such as SSL or secure flags -- in order to operate, he says.

The .secure domain will verify domain applicants' identities and require mandatory DNSSEC-signing of every zone, use of TLS (SSL) for all Web sessions, and DKIM and TLS for SMTP email. It also will support only a preapproved list of legitimate and secure certificate authorities.

[ The recent rash of breaches among certificate authorities has left a bad taste in enterprises' mouths. For a look at what's wrong and what's next, see What's Next For Certificate Technology?. ]

But Grossman says .secure will also pose something of a marketing exercise on how to provide end users the best visual cues and information to ensure they can and will use the secure domain.

Mandiant's Bejtlich says this may be too technical a concept for the man on the street. "I feel this is so much inside baseball that it's not going to resonate for the person on the street ... The trust people have is in the companies who operate the website, not in any part of the infrastructure or domain," he says.

Alex Stamos, CTO at Artemis, says the goal is for the secure domain to do everything for the user to be secure in his or her transaction, enforcing security settings on the server side as well as on the browser side, for instance. "Once you type '.secure,' all of that will be taken care of for you," he says.

And part of that equation is enforcing the security protocols and clean websites of the domain owners. Stamos says the Domain Policy Working Group's protocol will be the standard by which .secure domain owners must adhere. "We will have an engineer randomly scanning subdomains ... we will very vigilantly police this neighborhood for bad actors" as well, he says.

Stamos yesterday posted an FAQ to address some of the questions and concerns about how the new domain would operate. "Security is a process, not a destination, and we will need to be clear that we are looking to improve the horrible level of trust on the Internet but are not so arrogant as to think that we can solve all problems for all users all at once," Stamos wrote in the FAQ.

"No one can promise perfection. What we are promising is that Artemis and the .Secure domain holders are engaged in a continuous process of testing, improvement and if necessary, vigorous response. This is certainly more than you will get from .com or any other announced gTLD," he wrote.

Meanwhile, Grossman says enforcement won't be easy because there's the potential for a conflict of interest for the domain provider. "That's something they are going to have to address. Alex is well-aware of this," he says. Suspending or penalizing a subdomain for security violations ultimately could cost the .secure domain provider money, he says. "That's a tough decision they will have to make every day," Grossman says.

Whether organizations will be willing to pay for a domain that mandates these security requirements in order to operate it is the big question. Mandiant's Bejtlich says he doesn't think organizations will be willing to pay for that while the domain operator tells it how to "run its business."

"My guess is the best you could hope for is to pursue standards for better implementation of [security] technologies and also some type of code of conduct," he says. "But you retain control of how you operate on the Net."

Overall, though, he says he favors Artemis' goal. "I love the fact that they are trying to do something constructive," Bejtlich says. "It's all about trust and business that causes the most conflict."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.