Tuesday, May 22, 2007

.bank TLD - Still not convinced

I read Mikko's response to the .bank TLD criticism and I think I still have to take issue with a few of the things being proposed. Rsnake already had a nice writeup as well, hopefully I won't duplicate too much of it.

Mikko says:

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

My main problem with this argument is I'm not at all clear on what software is going to do.
  • Not let you visit non-.bank sites?
  • Not let you enter your banking password on non-.bank sites?
  • Strip links in email that don't say .bank?
I'm not sure that having a new domain gets us anywhere in actually stopping phishing, people getting fooled by this sort of thing, etc. It doesn't help with email security since you'd still have to sign email, you'd still need SPF, etc.

To Rsnake's point:

Now that you’ve read it, here are my thoughts. Yes, .bank will solve some heuristics problems. No, it won’t solve all of them. Banks hiring external marketing departments, regional divisions, loan offices, etc… etc… that all are owned by the parent will not be able to afford their own .bank TLD and will not be protected. Piggybacking off the parent URL is an equally bad idea for XSS phishing attacks. And if the banks allowed external organizations to piggyback how wold that solve your problem of extended validation of the site?

I face this issue all of the time. I don't want to host third-parties on my core domains for multiple reasons including cookie security. I do want them to have an EV cert (silly, but policy) and yet I still want people to semi-trust them. None of this is solved by having a .bank domain.

I'm just not sure what type of attacks this new TLD really prevents. If someone can give me a type of attack that it prevents I'll start thinking more seriously about it.

No comments: