Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

F-Secure Calls for '.safe' TLD

CmdrTaco posted more than 7 years ago | from the internet-laughs-at-f-secure dept.

Security 243

Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."

cancel ×

243 comments

Sorry! There are no comments related to the filter you selected.

FrMMMN (0, Troll)

Helen Keller (842669) | more than 7 years ago | (#18674107)

MMmmmmnehPOTS!

Automated Trolling System (-1, Troll)

TrollBot1.11 (1086471) | more than 7 years ago | (#18674115)

Welcome to the Automated Trolling System. Using the latest technology, we are striving for a new generation of /. trolling. We shall usher in this glorius new era with pride in our hearts.

But how does it work? Using the latest technology called PHP we have optimised a scraping technique to detect new stories to troll, as well as sending POST requests for inserting of the troll post. TrollBot1.1 requires very little human intervention.

Why not download a copy here? [nimp.org] We have decided to make the Automated Trolling System an open source project, so you will be able to troll automatically using your web browser.

Please bear with us while we work out the bugs, and continue to optimize your experiences of being trolled. We also appreciate any feedback.

Re:Automated Trolling System (0, Informative)

Anonymous Coward | more than 7 years ago | (#18674195)

I don't advise clicking that link.

Re:Automated Trolling System (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18674219)

automates trolling is sooooo lame

Where is the sport in that?

Re:Automated Trolling System (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18674543)

Thanks for an interesting question. The point is through our work we will be able to bring the art of trolling to a wider userbase. Many people would like to troll more often, but lead busy lives and so cannot. This is where the Automated Trolling System comes in.

And because it is now open source, people can see the code we use to create automated troll posts.

Regards, - the TrollBot1.1x dev team

Maybe its just me.. (3, Insightful)

mulvane (692631) | more than 7 years ago | (#18674141)

But wouldn't something a little more, well, financially sound be better. .safe just makes me think of child protection sites, law enforcement security boards and such. I know .fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a .safe, but for other purposes.

Re:Maybe its just me.. (3, Interesting)

kisrael (134664) | more than 7 years ago | (#18674171)

The choice of ".safe" also sounds like blatant propaganda...

Re:Maybe its just me.. (5, Funny)

smallfries (601545) | more than 7 years ago | (#18674249)

Exactly, how many people would pay for an .unsafe tld?

So once 95% of all websites decide that they want to be safe, how do organise the namespace? How about .com.safe, .gov.safe, .net.safe....

Then all we do is turn off the .unsafe domain and we're done!

Re:Maybe its just me.. (4, Funny)

thsths (31372) | more than 7 years ago | (#18674327)

> So once 95% of all websites decide that they want to be safe, how do organise the namespace?

That should be easy: .safe, .extrasafe, .doubleplussafe, .360safe etc. The only limit is the amount payed to the registrar :-)

Re:Maybe its just me.. (0)

Anonymous Coward | more than 7 years ago | (#18674789)

I think the whole thing is just an invitation to safe-crackers: "Here's something we don't want you to access!"

Re:Maybe its just me.. (4, Funny)

geekoid (135745) | more than 7 years ago | (#18674471)

You don't let '95%' of all domains use it.

So financial institutions get it, but "we're not a bank" Paypal wouldn't.
That's a shiv I would love to see paypal get.

Re:Maybe its just me.. (2, Interesting)

Corporate Troll (537873) | more than 7 years ago | (#18674853)

I can't receive PayPal payments exactly because PayPal isn't legally a bank and/or financial institution in my country. It sucks.... At least I can use it for paying, that's not a problem (somehow...)

Re:Maybe its just me.. (3, Funny)

borawjm (747876) | more than 7 years ago | (#18674571)

Exactly, how many people would pay for an .unsafe tld?

I'm going to be the first to register un.safe and claim that it is a "safe" website


Re:Maybe its just me.. (1)

aussie_a (778472) | more than 7 years ago | (#18674647)

Exactly, how many people would pay for an .unsafe tld?
At least 1. I'd pay for the domain www.not.unsafe

Re:Maybe its just me.. (5, Funny)

gEvil (beta) (945888) | more than 7 years ago | (#18674413)

Agreed. We should also create a .terror domain--it'd help make tracking down those evil evil terra-ists that much easier...

Re:Maybe its just me.. (0, Troll)

aussie_a (778472) | more than 7 years ago | (#18674599)

Given that George W. Bush has single handedly raised the terror level by his constant "we're under attack" alarmist speeches, does that mean whitehouse.gov would have to move over to whitehouse.terror?

Not only that... (4, Insightful)

Pollux (102520) | more than 7 years ago | (#18674665)

But it also sounds like an inviting and tempting invitation for hackers to prove that nothing is ".safe"

What next? Will someone build a ship and claim it's unsinkable? Oh wait...

Re:Maybe its just me.. (1)

SatanicPuppy (611928) | more than 7 years ago | (#18674691)

More like wishful thinking.

"Must be safe, it's a .safe site."

I can see a reason for a .xxx tld, that makes perfect sense, because it's descriptive of the content. .safe isn't descriptive of crap...You know there will be unsafe .safe sites.

When I was young and full of myself, I used to set up my security systems to "talk smack" when I foiled cracking attempts...Took me only a very little amount of time to realize that this sent the wrong message, because when you frame it in the terms of a challenge, the crackers dust off their A game to make you eat your words. .safe? How about .stupid, or .unsafe?

Re:Maybe its just me.. (1)

CastrTroy (595695) | more than 7 years ago | (#18674819)

It's like they keep on calling Oracle "Unbreakable". Issue a challenge and the hackers will meet it. everybody who really knows what their doing keeps their databases behind firewalls so you can't access them from the outside. It doesn't matter if somebody says it's unbreakable, because it's not worth taking the risk.

Re:Maybe its just me.. (2, Insightful)

BDPrime (1012761) | more than 7 years ago | (#18674177)

The article suggests .bank as well. That could be OK, but what about financial firms that might not consider themselves banks?

Re:Maybe its just me.. (3, Insightful)

eln (21727) | more than 7 years ago | (#18674801)

Or financial sites that studiously avoid calling themselves a bank, even though they clearly are one, in order to avoid being regulated like a bank. Such as Paypal.

Also, .safe is just asking for trouble. It gives people an even greater false sense of security than they already have about "secure" websites. Might as well just call it .lawsuit-magnet.

Re:Maybe its just me.. (4, Interesting)

goombah99 (560566) | more than 7 years ago | (#18674201)

how about .careful ? To remind people not to assume something is safe from it's name. Otherwise please click on my NotAVirus.exe.

Who will accredit third world banks such as the FIRST BANK OF JOSEPH ENTBE OF NIGERIA?

Re:Maybe its just me.. (2, Funny)

ozbon (99708) | more than 7 years ago | (#18674341)

How about .legit ?

*grin*

Re:Maybe its just me.. (1)

CastrTroy (595695) | more than 7 years ago | (#18674365)

Only if I'm allowed to buy too.legit. :)

Re:Maybe its just me.. (2, Funny)

warpSpeed (67927) | more than 7 years ago | (#18674541)

Only if I'm allowed to buy too.legit. :)


www.too.legit.to.quit
and
www.hammer.time

Re:Maybe its just me.. (1)

teh kurisu (701097) | more than 7 years ago | (#18674333)

I'm actually mystified as to why UK banks don't use the .plc.uk domain, which is reserved for publicly listed companies.

Re:Maybe its just me.. (1)

i.r.id10t (595143) | more than 7 years ago | (#18674403)

Don't feel bad. I'm miffed that the government uses .com's (and .nets, etc) instead of .gov. I also think they shoulda given a .gov domain for the yearly free credit report stuff. As much as I trust myself, before entering all that juicy info, I actually found links to the .com from the .gov websites, etc. first...

Re:Maybe its just me.. (1)

RealSurreal (620564) | more than 7 years ago | (#18674463)

Why should they? Nobody else uses it unless the .co.uk they really wanted is already taken.

Re:Maybe its just me.. (1)

teh kurisu (701097) | more than 7 years ago | (#18674513)

Because there aren't many publicly listed phishers.

Re:Maybe its just me.. (1)

RealSurreal (620564) | more than 7 years ago | (#18674715)

Yes but they'd still need the .co.uk variation as that's what people expect to use. And anyway, the problem with phishing is that people don't read the URL or pay any attention to the SSL status. I can't set up a phishing site at genuinebank.co.uk (cause Genuine Bank will already be using it) any more easily than I can at genuinebank.plc.uk.

Re:Maybe its just me.. (1)

aussie_a (778472) | more than 7 years ago | (#18674339)

How about .mon for money? Oooh, I know .scr for screw you over!

Re:Maybe its just me.. (1)

ozbon (99708) | more than 7 years ago | (#18674701)

.scr would be wanted by all the writers of screensavers too...

Maybe .fku ?

Re:Maybe its just me.. (0)

Anonymous Coward | more than 7 years ago | (#18674397)

Sounds like the bankers have started using the typosquatters' own tactics against them. "This site is SAFE, because the domain name says so!"

Re:Maybe its just me.. (1)

jmo_jon (253460) | more than 7 years ago | (#18674745)

I say rock on!

As long as I get quite.safe and not.safe

.safe (2, Funny)

voice_of_all_reason (926702) | more than 7 years ago | (#18674157)

Brought to you by King Canute. Make things happen by simply commanding them to be so!

(yes, I'm well aware that interpretation of the story is incorrect).

Re:.safe (1)

UnknowingFool (672806) | more than 7 years ago | (#18674567)

Wouldn't it just be easier if evil doers used the evil bit? :)

As a matter of principle... (5, Insightful)

rlthomps-1 (545290) | more than 7 years ago | (#18674169)

I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of .safe is lost.

Re:As a matter of principle... (2, Insightful)

epiphani (254981) | more than 7 years ago | (#18674321)

What if someone gets some exploit code on one of these sites?

Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.

The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.

Re:As a matter of principle... (0)

morgan_greywolf (835522) | more than 7 years ago | (#18674325)

Not to worry. You'll have no problem detecting unsafe traffic on .safe because all other traffic will have to have the evil bit [ietf.org] set!

Re:As a matter of principle... (1)

aussie_a (778472) | more than 7 years ago | (#18674377)

Here's a question: Do you trust Google? Or are they an exception to the rule?

Re:As a matter of principle... (1)

buro9 (633210) | more than 7 years ago | (#18674391)

http://mydomain.com/ [mydomain.com]

I can see this working already ;)

The tools are already in existence to secure communications, and they are already in use. The flaw in the system is not the domain names or secure connections but the users who are deceived into accessing other sites and to give up personal details. .safe will not end deceptive practices, especially when success = money.

Education is the way to secure users, that and banks and other entities that really require security to actually employing some decent security.

What's that thing again? You're only secure is you have two out of three of the following; Something you know, something you have, and something you are. Many financial institutions continue to base their entire security on just one of those things, of course this is made a mockery of with the aid of a little social engineering.

Re:As a matter of principle... (1)

buro9 (633210) | more than 7 years ago | (#18674427)

My original link was:
http : // www . barclaysbank . safe @ mydomain . com /

It's nice to see that slashdot takes care of that anyway.

Re:As a matter of principle... (1)

mikkelm (1000451) | more than 7 years ago | (#18674621)

Moot point.

Any site is vulnerable at any time regardless of whether it has .com, .safe or .thiswaytoidentitytheft domains pointing to it. The trust that a site with a .safe domain pointing to it would enjoy would stem not from a reputation of security among sites accessible by .safe domains, but from the registration requirements.

People will always be fooled. You can always spoof domains and TLDs with malware. The thing is that a .safe domain would remove a good deal of attack vectors without adding any new ones.

Re:As a matter of principle... (1)

AikonMGB (1013995) | more than 7 years ago | (#18674869)

Just like when Firefox turns your address bar yellow when you're visiting a "secure" website? Sure, the website may be secured, but is it secured to the servers you think you're accessing? You still have to be careful to make sure you're at the right place.. just because a website has SSL enabled with a valid certificate doesn't mean they are going to play nicely with all the data you type into their forms.

Aikon-

Re:As a matter of principle... (2, Informative)

Bogtha (906264) | more than 7 years ago | (#18674895)

What if someone gets some exploit code on one of these sites?

This has already happened: Hacked Chinese Bank Server Phishes for US Banks [slashdot.org] .

Not going to help (2, Insightful)

CastrTroy (595695) | more than 7 years ago | (#18674175)

As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in .com, or .ca, or .safe, or .xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.

Re:Not going to help (3, Funny)

networkBoy (774728) | more than 7 years ago | (#18674225)

so we need a .safe and a .scam domain?
Likely won't make a lick of difference though.
-nB

Re:Not going to help (1)

BDPrime (1012761) | more than 7 years ago | (#18674729)

Actually, it could. All the scams would be on the .safe domain, so if legitimate businesses were smart, they'd set up shop on the .scam domain. Then we'd know that if we didn't want to be scammed, we could go to a .scam domain. Oh, but then the scams would catch on to that little trick, wouldn't they? Drat!

Because you know (5, Insightful)

dctoastman (995251) | more than 7 years ago | (#18674181)

People are infallible and immune from social engineering attacks and there is no way a shady organization would ever get a .safe domain.

Countdown... (5, Insightful)

Yoozer (1055188) | more than 7 years ago | (#18674187)

Count down to the first case where a .safe domain is corrupted because of nepotism, fraud, forgery, what-have-you.

A TLD does not solve this problem. An alert user does, aided by tools like regular check-ups, challenge-response systems or cryptography.

We've all heard how some corporations lose several thousands of records of personal data. What does that .safe TLD mean, in that case?

Re:Countdown... (1)

CastrTroy (595695) | more than 7 years ago | (#18674301)

I would like to know my more banks don't offer more secure methods of authentication like RSA keytags and such. This would completely wipe out most of the problems with phishing. Instead they think up other useless methods like making you click on an onscreen keypad to enter your password, or asking you what your favourite movie is. I think that many people would pay for the keytag themselves if they were presented with the option, just for having the peace of mind knowing they are more secure. I know I would.

Re:Countdown... (1)

aussie_a (778472) | more than 7 years ago | (#18674443)

Instead they think up other useless methods like making you click on an onscreen keypad to enter your password
How is that useless? When you consider they're in an arms race, its a delaying tactic (as all tactics are). At the moment most criminals employ keystroke loggers, not screen captures. As such onscreen keypads thwart most criminals who would try to steal your details through your computer usage. When it becomes more popular the criminals will begin employing methods that capture the screen, and so banks will move onto the next delaying tactic.

Re:Countdown... (1)

CastrTroy (595695) | more than 7 years ago | (#18674765)

Why not pick something that will last a bit longer. Instead of doing something along the lines of "that should hold them off for a couple months", or "it's 1/2 a step better than our competitors who have equally crappy security measures" or "it's not actually more secure, but our dumb users will think it is", they should be putting security measures in place that will actually make a difference, and won't be broken by crackers in a matter of weeks.

Great but... (4, Insightful)

otacon (445694) | more than 7 years ago | (#18674213)

People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.

Re:Great but... (3, Insightful)

l0b0 (803611) | more than 7 years ago | (#18674587)

A lot of people seem to be completely oblivious to URLs. You could use insecure.stayaway.ng/porn without raising suspicion from *pulls out a number* 83% of the population.

How about a .mal domain? (0)

Anonymous Coward | more than 7 years ago | (#18674217)

At least then we'd know when we our browsers were being attacked. I can imagine Firefox being enhanced to flash the URL bar in red, skull and crossbones icon, etc.

How will it protect users from their own idiocy? (4, Insightful)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18674237)

People respond to phishes and Nigerian scams and give all their usernames and passwords voluntarily without ever touching their banks or the safe domains. How can banks protect against such users? Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters".

Will this really make a difference? (3, Insightful)

FredDC (1048502) | more than 7 years ago | (#18674243)

I don't think so...
 
There will always be idiots, who will fill in their credit card information at visa.safe.ru!

Thats all well and good (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18674255)


until the trojan redirects the DNS which whould nev..... whoops [google.com] , ahh yeah but wouldnt the SSL certficate give it away you ask ? not if you install your own wildcarded cert which would never hap... whoops [wikipedia.org]

its not the name thats the problem its educating people on the threat of phishing

Premium (1)

gratemyl (1074573) | more than 7 years ago | (#18674265)

From TFA:

"It's true this will mean banks have to pay a premium to be able to use the domain name, [...]


OMG...how much would it cost to verify a financial institution? The domain name costs nearly nothing to maintain, only the checking - .safe domains would cost ICANN *very* little more than any other domain, and that extra cost would not result in a loss if they keep the same prices - they just make less profit. They are already making enough $$$.

<scarcasm>But then, of course ICANN is interested in the public good...</sarcasm>

Dpends, i (1)

geekoid (135745) | more than 7 years ago | (#18674415)

If the truly want a serious attempt at this, maybe they fly someone to the institution to talk to the CEO?

Re:Dpends, i (1)

gratemyl (1074573) | more than 7 years ago | (#18674507)

Will talking to the CEO make it any more ".safe" than it would be with the official documents confirmed (over telephone) by the local government? And that surely cannot be so expensive, we call it collaboration (the one thing governments are best at *err*).

Re:Dpends, i (1)

aussie_a (778472) | more than 7 years ago | (#18674687)

But I could have rerouted their telephone so when they call it goes to my number instead.

Re:Dpends, i (1)

gratemyl (1074573) | more than 7 years ago | (#18674921)

WOW, you know how to intercept government phone lines. Mind dropping by here in Germany to show me how?

Thanks!

Re:Premium (1)

arivanov (12034) | more than 7 years ago | (#18674525)

OMG...how much would it cost to verify a financial institution?

Nothing. Or to be more exact, nothing on top of the already existing mechanisms. The verification mechanisms are already in place. Joe Bloggs cannot get a SWIFT address or a Federal Reserve deposit insurance. Joe Bloggs cannot register himself as a bank. All you have is to convince the relevant institutions in each participating country to participate in the approval process.

Not that it will make any difference as the loser will continue clicking on links sent to them in email.

Is it useful? (4, Insightful)

efence (927813) | more than 7 years ago | (#18674275)

There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective. Introduction of a new TLD is not a replacement for user education.

Re:Is it useful? (1)

geekoid (135745) | more than 7 years ago | (#18674499)

I wish they would institue a pop-up when the mouse is over links.

That may hae a better chance of drawing he users attention to where theya re acttually going.

Re:Is it useful? (1)

zoobsolar (934527) | more than 7 years ago | (#18674629)

I believe this may have been mentioned a few years ago in an RFC. .safe TLD is a waste of time and money, 'nuff said.

Assumptions (2, Insightful)

hack slash (1064002) | more than 7 years ago | (#18674281)

If a .safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a .safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all .safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into .safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.

Re:Assumptions (2, Insightful)

geekoid (135745) | more than 7 years ago | (#18674381)

True, but it would decrease risk, which what security implementation is really about.

They would need to implement some tough rules for who can register them for it to have a chance of working. Smething I don't think they have the backbone to do.

All this assumes people actually look at where a link goes before clicking it.

I have a better idea! (2, Funny)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18674293)

Let us create a separate domain for phish hosts! All phishing sites must clearly identify them as phishing sites to get a chance to be listed in that domain. Of course, compliance is voluntary. It makes as much sense as the safe domain for the banks.

Not a new idea. (2, Interesting)

bigmaddog (184845) | more than 7 years ago | (#18674297)

This sounds a whole lot like RFC #3514 [rfc.net] to me, except on a higher level, which makes the idea at least four years old.

White listing vs black listing (2, Informative)

Anonymous Coward | more than 7 years ago | (#18674455)

It is not the same thing. This proposal calls for whitelisting. In contrast the joke required that bad people blacklist themselves.

Enumerating badness is a bad idea from a security point of view:
http://www.ranum.com/security/computer_security/ed itorials/dumb/ [ranum.com]

Enumerating goodness might work, but raises many issues. Who does it, based on what criteria and how are the criteria enforced?

Why do people keep demanding the DNS to solve all the problems in the world? It's just an address book, not the solution to world hunger. Oh, maybe that is the next TLD proposal: .endworldhunger

Bad idea (1)

ProfessionalCookie (673314) | more than 7 years ago | (#18674319)

Domain names are to easy to fake. That's all. Perhaps a better name system?

..This calls for Marathon Man(!) (1)

newr00tic (471568) | more than 7 years ago | (#18674355)

..I mean, after all;

isit.safe

? =]

insert favourite "I'm probably gonna get modded down for this" -string here. ;)

safe = !safe (1)

symes (835608) | more than 7 years ago | (#18674369)

But surely, to the inexperienced, anything can look "safe" e.g. www.urbank.safe [bizarremag.com] . As others have already suggested above, it's better to educate than attempt structural changes to protect the naive.

Nice idea but... (2, Informative)

JohnnyBigodes (609498) | more than 7 years ago | (#18674379)

... I don't think it will work, at least not how they think.

Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.

Re:Nice idea but... (1)

aussie_a (778472) | more than 7 years ago | (#18674545)

Well actually, that's somewhat defeatist. Here's 2 questions:
Q1: What is the percentage rate of success for the current methods employed in keeping things "safe"?
Q2: By what, if any, percentage rate will this method raise the percentage rate from Q1?

We simply use a rule to determine if we should use a .safe domain
IF Q2 > 0 THEN create a .safe tld ELSE do something else.

We don't need something to be 100% trusted. Just as we don't need a renewable fuel alternative that will replace oil 100%. A renewable fuel alternative that helps replace more then 0% of oil usage will help in getting rid of our dependency on oil. Just as if a .safe domain tld helps decrease the chance of attacks, it will help keep people safe. Neither need to be 100% effective.

Re:Nice idea but... (1)

JohnnyBigodes (609498) | more than 7 years ago | (#18674705)

Well you are right indeed and I totally understand, but my main beef is calling this ".safe", because it gives the Average Joe the thought that if his bank's URL ends in ".safe", then he is totally and completely, well, safe :)

Maybe picking ".reg" or something like it might be more realistic, so to say.

But this type of thing is already in effect (0)

Anonymous Coward | more than 7 years ago | (#18674447)

SURELY people have noticed that the current domains do this PERFECTLY! After all... everyone KNOWS that .org websites are ONLY organizations. And .com is ONLY commercial sites. Why, having a .safe is completely unneeded, as scammers are clearly not known organizations, and thusly could NEVER own a .org site, so therefore they must all be safe as is.

.unsafe (0)

Anonymous Coward | more than 7 years ago | (#18674467)

This is stupid, DNS is not a trustworthy system. SSL certs are used to verify a websites identity.

All this basically says is that F-Secure are idiots.

Oh God, Not Again! (2, Insightful)

user24 (854467) | more than 7 years ago | (#18674479)

Are we really going to have to go through every argument why .xxx was a bad idea, replacing "porn" with "safe" and "perverts" with "hackers"

quick, someone who knows regex copy the most highly modded comments from here [slashdot.org] , here [slashdot.org] , here [slashdot.org] , here [slashdot.org] and here [slashdot.org] , and save us [xkcd.com] !

Re:Oh God, Not Again! (1)

aussie_a (778472) | more than 7 years ago | (#18674925)

Got it!

Where is the downside? Regulation and control. If there was an .safe domain, it wouldn't be long for the Christian* Firewall Network (CFN?) to spring up trying to block it everywhere, and there would be demands to block it at ISPs, etc. It wouldn't be long before legislation was passed requiring all financial websites be "moved" to this domain. (Of course, we're just thinking of the adults.)

The mis-perception is that all financial websites would somehow magically be labeled .safe, and people would naively think like you did: it's easy to find and easy to block.

Meanwhile, the technological reality is that such blocking would do nothing to stop financial websites originating from domains outside of the U.S. It also would not stop dotted decimal addresses from working. But because there would be this new "law" requiring financial websites to be hosted in the .safe domain, the CFN idiots would be confused as to why their wives could still access financial websites even though it was supposed to be blocked, and would demand more regulations to stop this "illegal content".

Voluntary industry classifications have almost always turned into regulations (movie and video game ratings, light truck emissions, organic foods, etc.) It's just that on the internet, that idea doesn't work worth a damn, so why encourage it?

(*Feel free to replace 'Christian' with the intolerant fundamental religious idiots of your choice.)
Hmmmm... that didn't work too well. Let's try another:

The horses have left, who cares about the barn door?

Having a .safe domain would make a simplistic filters only effective for simple people. I doubt a financial domain owner is going to drop honestbank.com and move everything over to honestbank.safe. He'll just use redirection and have two front doors to his domain.

ISP's and government authorities will NEVER be able to move financial websites off of .com. There's simply too may jurisdictions out there in our wonderful world.

All of the .safe media attention and effort seems pointless to me.
Hmmm. Still doesn't quite seem to fit. One more try:

The inverse (a domain exclusively for non-financial sites) always seemed much more practical and effective to me. Let's call it .notabank.

Let's put it this way, if you were starting a club, would you A) make the club undesirable for people to come to and then try to force them into it, or B) make the club a place where people wanted to be and then only allow in the people you wanted.

Well, .safe is that undesirable club that you have to force people in to. The financial institutes don't want to be in it because they know that it will get filtered out at a lot of places. So it cuts into their business.

But a .notabank domain, is the place where everyone who produces non-financial websites will want to be because they know that a lot of parents will filter out everything but .notabank. So you set up .notabank and put in place a gatekeeper who monitors to make sure that only the material you want is in it.

Of course, the companies pushing .safe want to run .safe and not .notabank because running .notabank will be a lot more work (with the content monitoring and all) so they won't make as much profit.

And the moral crusaders prefer .safe to .notabank because their ultimate goal isn't just to prevent people from seeing financial websites. Their goal is to prevent you from having any access to financial websites. And that will be easier if it is all in one place.

Now, that "gatekeeper who monitors" bit about .notabank will admittedly be challenging (I would suggest putting librarians in charge of that, they have experience with classifying material and setting up non-financial sections). But it won't be that challenging because companies would have a very strong incentive to follow the rules. So isn't .notabank a much better idea?

(If you're really going to pursue financial website filtering at the network infrastructure level, that is. Personally I think the whole idea is stupid. I'm just saying that if you're going to do it, isn't .notabank better.)
Hmmm... No. I don't think this is going to work somehow. I think we may need to come up with new reasons why .safe is a bad idea.

Great Idea... (0)

Anonymous Coward | more than 7 years ago | (#18674483)

Thats about as brilliant as .xxx domains....

can we get a .idiot domain too?

This is a great idea, I'm sure it'll work (3, Insightful)

mrwiggly (34597) | more than 7 years ago | (#18674485)

<a href="http://phishers.com">click to login to http://mybank.safe/ [mybank.safe] </a>

Putting a label on something doesn't make it true. (2, Insightful)

The Media Mechanic (1084283) | more than 7 years ago | (#18674503)

Just because you assign a name or a label to something doesn't make it true. Putting an "Organic" sticker on a vegetable doesn't make it organic. Calling someone a "terrorist" and saying they are making "WMDs" doesn't make it so. There is nothing intrinsic about the TLD .safe that will make it safer than any other TLD. No matter how many times you say it or repeat or how loudly you shout it.

In a way, labels are a sort of self-fulfilling prophesy. People put labels on things in the hopes that the labels are true. This is why nobody names their child "Loser" or "Stupid". Because what if it becomes true?! Then the parents would blame themselves.

I think am going to name my children "Nobel" and "Pulitzer".

Misleading Top Level Domain (1)

TBone (5692) | more than 7 years ago | (#18674515)

The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?

No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

a .SAFE TLD won't make the sites any more safe, and will make them less safe, because people who don't know better will just assume that, because it's a .safe domain, it MUST be safe, otherwise it wouldn't be a .safe site, so they just go on entering all their private personal data into some bogus site.

.SAFE won't make things more safe, it will make them less, because <SPACEBALLS> Evil will always win, because Good is Dumb </SPACEBALLS>.

.safe will be even more unsafe (2, Insightful)

IGnatius T Foobar (4328) | more than 7 years ago | (#18674561)

The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.

Dumb idea, game over. Next...

ridiculous (1)

DaMattster (977781) | more than 7 years ago | (#18674635)

This won't solve a thing. It is trivial to fake headers; apparently the author did not do his homework. I could easily set up a spam spew to send phishing email from say, www.bankofamerica.safe or the like. A better, more practical solution is to use email signing like OpenPGP or GNUPGP. This is much, much harder to fake. See the Wikipedia [wikipedia.org] article subsection Security quality. Bank customers simply obtain the PGP public key from the bank's website and use it to validate any email received. This will put the phishers to bed (at least for a long while) as it will be virtually impossible to fake the PGP signature. The next thing you do is educate the public about email signing and verification. It is not terribly difficult to use and deploy as there are freely available PGP plugins for popular email clients. GPG4Win is a complete installer that contains plugins for Mozilla Thunderbird, Outlook 2003, and Outlook Express. Read about it at http://www.gpg4win.org/ [gpg4win.org] .

On the face of it... (3, Insightful)

Ngarrang (1023425) | more than 7 years ago | (#18674651)

On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.

We have .gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have .edu for education institutions.

Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name. .shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect

There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).

We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.

Re:On the face of it... (2, Insightful)

digitalhermit (113459) | more than 7 years ago | (#18674903)

For the most part, I agree with this. It's funny how DNS is starting to look like the original LDAP recommendations on the name hierarchy. LDAP went from an organization based hierarchy to schemas that started looking at lot like the DNS TLDs. And DNS itself may start looking at lot like how LDAP was. As more companies are becoming international, the idea of arbitrary geographical boundaries to information and yes, commerce, seems somewhat quaint.

A TLD doesn't make a site safe! (1)

julie-h (530222) | more than 7 years ago | (#18674675)

A TLD doesn't make a site safe! .safe should only be allowed to sites that doesn't run M$ products =)

How does this work? (1)

geoff lane (93738) | more than 7 years ago | (#18674721)

Is this supposed to work via some kind of sympathetic magic?

Think of the grandparents (1)

ObiWanStevobi (1030352) | more than 7 years ago | (#18674755)

I've already got the calls saying "But it said I won a free Ipod." (despite the fact they didn't know what it was but thought it would make a good Christmas present) If they are that trusting of a random pop-up, imagine how easy it would be for anyone with a .safe name to rip them off. I'd have to say think of the grandparents on this one and call it a bad idea. BTW, if you disagree with me, you hate the elderly.

Better Idea (1)

user24 (854467) | more than 7 years ago | (#18674767)

How about we force everyone to have a .unsafe TLD, so it would be microsoft.com.unsafe, google.com.unsafe

It would reinforce the idea that !!!NOTHING IS SAFE ONLINE!!!

I mean, how loud do we have to shout it before people finally get it?!

Let's try it a few more times:

HEY USERS!
NOTHING IS SAFE!
PEOPLE ARE EVIl!
THE INTERNET IS A BAD PLACE!
NOTHING IS SAFE ONLINE!
NOTHING!!!!! NOT EVEN PAYPAL!!!!
NOTHING IS SAFE ONLINE!

LISTEN!

NOTHING IS SAFE ONLINE!

c'mon guys, chant with me, perhaps they'll realise if we all chant together

NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!
NOTHING IS SAFE ONLINE!

damn, it's not working.

I guess people will always be stupid, no matter how many clever people try to stop them.

www.stupididea.com (1)

tokentry (1083553) | more than 7 years ago | (#18674785)

or just .stupididea

safe domain (0)

Anonymous Coward | more than 7 years ago | (#18674823)

S-s-s-s A-a-a-a F-f-f-f E-e-e-e D-d-d-d O-o-o-o M-m-m-m A-a-a-a I-i-i-i N-n-n-n
Safe, domain!

We can register if we want to
We can leave your sites behind
'Cause your sites don't register and if they don't register
Well they're no sites of mine
I say, we can surf where we want to
A place where hackers will never find
And we can act like ICANN come from out of this world
Leave the COM domain far behind
And we can register...

un.safe (1)

wwmedia (950346) | more than 7 years ago | (#18674875)

i wish to register un.safe!

Pardon me, but... (1)

Zero_DgZ (1047348) | more than 7 years ago | (#18674891)

Did we just not have a whole debacle (thrice!) over the ICANN rejecting the .xxx domain because they're "not in the business of content regulation?" I seem to remember a flurry of articles on Slashdot about this. Isn't allowing only banks and other "official" entities to use the .safe domain put the ICANN in exactly the same "business?" The only difference here is they're replacing porn sites with banks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>