Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

{Quick Post} Some thoughts on .secure

I’ve been listening with some interest to some of the recent discussions on the creation of a .secure top-level domain for more “secure” systems. Although the basic idea sounds nice in theory, I think some people are being blinded by the “what could be” and aren’t considering a couple of important factors.

Class divide

Putting aside any technical, organisational, or practical issues that are sure to come up, I don’t see anybody talking about the issue of class divide. When I say class divide I’m talking about the gap between those that can and those that can’t either afford to pay whatever fees are needed for audit and certification to gain or retain a .secure TLD, or those that cannot separate their infrastructure to support whatever the requirements are for segregation of systems.

Take for example a small bank. Their key business is small companies and the general public. Their security budget is already stretched thinly between physical security (a must for a bank!) and compliance (such as PCI). What little budget they have left might get them a .secure TLD, or it might get them the headcount required to make their networks and systems a little more secure. In this case the company is stuck in a catch-22 situation. If they go for the .secure domain they may be exposing other parts of their business through lack of funding. Although they may improve the security of sections of their network to meet .secure requirements, they won’t necessarily be improving their overall security posture as a result. More importantly though, if they don’t go for a .secure domain does it mean they are defacto insecure?

This is a typical class divide. Companies that can and have .secure domains will gain very little in the long run as all their competitors will step up and move to .secure domains as well. However those that don’t either buy-in to the .secure buzz, or are unable to, may be branded as insecure through no fault of their own. The general public only see that Bank A has a .secure domain and Bank B doesn’t. Ipso facto Bank A is better?

TL:DR;

Does a company who cannot afford to pay for a .secure become insecure simply because it’s not a member? What will end-users think… if .secure sees wide adoption it doesn’t mean that those that are members are any more secure than those who aren’t members. Those that aren’t in .secure are not defacto less secure simply due to the fact that they choose, or are unable to obtain a .secure TLD.

International Ramifications

The company behind the drive for a .secure TLD are a US-based company. Normally this wouldn’t be an issue, but if recent history is anything to go by, trust in how US companies operate on an international level isn’t at an all time high.

Does ownership of a .secure TLD mean that international companies need to abide by US laws or face similar actions to those that were taken against Calvin Ayre and associates. Does the US government have the right to replace your companies banking portal with a landing page stating that you do not comply with XYZ law. Worse yet, can they reach the long arm of the US law across the border and take legal action against companies that do not comply (as they have done in the recent Canadian Gambling case).

The world is a large place, and for .secure to become anything more than a passing fad for US-based companies, these issues have to be addressed publicly.

IANAL: I Am Not A Lawyer… take these comments as my opinions and seek professional help if you have legal queries or feel like the world is out to get you!

TL:DR; 

Artemis is a US company… does this mean .secure is a US domain, and subject to US laws and procedures?

Conclusions

I’m not against .secure as an idea. Although I see some issues that need to be addressed, from an end-user perspective I can see a number of very good advances that could be driven by this. Of course, how things look and how they end up are usually very different!

There’s a lot of discussion currently about the technical issues, and I’ve purposely avoided touching on those here. There’s also some discussion of the .secure TLD being like a red-rag to a bull. Saying you’re secure worked so well for Oracle and their unbreakable after all!

Be part of the discussion… Thoughts?

Edit 1 (26.05.2012)

@digininja asked on twitter:

@ChrisJohnRiley What is the price of a .secure? You are implying on blog it is the same as an employee, is that right?

I don’t think the price is as simple to calculate as $x for the .secure domain. Just like most things, the unexpected background costs of compliance (even though the possession of a .secure domain isn’t compliance in most senses of the word) will eclipse the cost of the initial domain registration and ongoing costs from Artemis (or whoever gets the $x at then end of the day).

The costs will vary from company to company beyond whatever is imposed by Artemis for entry to the club.

Edit 2 (26.05.2012)

After digging around a little for the answers to these questions I stumbled across a page run by Alex Stamos (from Artemis) where he is attempting to answer peoples queries on the .secure TLD. You can find the .secure FAQ here if you want to take a look at the questions he’s answered already. Hopefully he’ll see the trackback and take a stab at answering the points I’ve raised here as well. Perhaps we can convince him to come on Eurotrash at some point and tell us in his own words as well!

About these ads

6 responses to “{Quick Post} Some thoughts on .secure

  1. Alex Stamos May 27, 2012 at 21:45

    CJR,

    I think email is not the first benefit consumers and ISPs will hope to get from a .secure domain, but it is definitely one of the easier places to leverage a “reboot” of the Internet to get some security benefits. A very large number of MXs currently support STARTTLS over port 25, but it’s generally useless since it’s A) Opportunistic and therefore trivially bypassed by an active MITM and B) using a self-signed cert or one with an incorrect CNAME.

    I don’t see a lot of people using .secure for their personal vanity domains, but if we get a couple of large webmail providers to offer .secure addresses as an option (imagine automagic foo@gmail.secure aliases) we could greatly improve the privacy and trustworthiness of mail between these mail providers and large enterprises that use .secure domains themselves.

Follow

Get every new post delivered to your Inbox.

Join 291 other followers

%d bloggers like this: