.safe .shenanigans
Dave G. | April 10th, 2007 | Filed Under: Slashdot Rounddown
Over at India enews, there is an article where F-Secure apparently suggests that we would benefit from yet another domain name. This time instead of trying to have the adult entertainment business self-regulate, they are suggesting:
If ICANN introduced a .safe domain (or .sure or .bank), which could only be used by registered financial institutions, it would allow security providers to create better software to protect the public, according to F-Secure. It would be similar to other top level domain names such as .uk and .gov.“While a .safe domain name won’t prevent phishing attacks, it will help banks and security providers to keep their customers safe,” said Patrik Runald, Senior Security Specialist at F-Secure. “Banks need to take on some of the responsibility for protecting their customers and using a secure domain name such as .safe will give customers the reassurance they need when banking online.”
There are a number of problems with this (besides the who-gets-to-call-themselves-a-registered-financial-institution, and the amount of effort and money that will be spent on this). It is that it won’t be that effective. This is a user education problem. And it won’t get solved by telling everyone, “just look for .safe”.
What .safe does solve is the problem of AV vendors having to figure out what is good and what is bad. This will basically:
- Cause banks to spend a ton of money in order to
- Decrease the costs of AV companies who have to invest crazy amounts of money in maintaining software that is will always be evaded in order to, maybe, possibly, kinda
- Reduce the risk of the customer
Even F-Secure says:
“While a .safe domain name won’t prevent phishing attacks, it will help banks and security providers to keep their customers safe,” said Patrik Runald, Senior Security Specialist at F-Secure. “Banks need to take on some of the responsibility for protecting their customers and using a secure domain name such as .safe will give customers the reassurance they need when banking online.”
I want to apologize for the lack of posting these days. We are all supremely busy. When we get more breathing room, you will see a continuation of Tom’s Blogus Magnum “The Case Against DNSSEC”, and a couple of other treats.
Matt
April 10th, 2007 8:38 pmFTA: Right now, customers have no good way of automatically being able to tell whether or not a bank website belongs to the bank.
Right now, customers can’t tell the difference between http://www.bank.com and http://www.bank.com@evil.net (feel free to substitute your personal favorite URL obfuscation technique). I presume the nice folks at F-Secure know this, so how do they expect changing “com” to “safe” in that example to fix anything?
Chris_B
April 10th, 2007 10:18 pmDave,
“who gets to call themselves a financial institution” is not a hard problem. Governments get to define that. Unfortunately for the greater problem, not all governments agree on what level of responsibility financial institutions must bear to solve the issues at hand. The problem is more that this is yet another attempt to peddle a non solution by shifting the blame.
As much as anti virus software is a license to print money, I wouldnt buy AV stocks now because at some point, enough buyers are going to figure out that its a loosing game.
Stodgy Banker
April 10th, 2007 10:51 pmFTA: “The .safe domain would certainly help in these cases as users would know that any other domain is to be considered unsafe.”
Why does .safe mean that other domains are therefore unsafe? This is yet another symptomic relief arms race similar to EV certs. Basically blackmailing financial institutions into paying for the validation that SSL cert issuers should already be doing anyway does not help consumers. Next announcement will be that the browser bar will turn rainbow-colored and you will get a free pony when you visit a .safe site with an EV cert.
Leave a reply