Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

{Quick Post} Some thoughts on .secure

6 Comments Posted by on May 25, 2012

I’ve been listening with some interest to some of the recent discussions on the creation of a .secure top-level domain for more “secure” systems. Although the basic idea sounds nice in theory, I think some people are being blinded by the “what could be” and aren’t considering a couple of important factors.

Class divide

Putting aside any technical, organisational, or practical issues that are sure to come up, I don’t see anybody talking about the issue of class divide. When I say class divide I’m talking about the gap between those that can and those that can’t either afford to pay whatever fees are needed for audit and certification to gain or retain a .secure TLD, or those that cannot separate their infrastructure to support whatever the requirements are for segregation of systems.

Take for example a small bank. Their key business is small companies and the general public. Their security budget is already stretched thinly between physical security (a must for a bank!) and compliance (such as PCI). What little budget they have left might get them a .secure TLD, or it might get them the headcount required to make their networks and systems a little more secure. In this case the company is stuck in a catch-22 situation. If they go for the .secure domain they may be exposing other parts of their business through lack of funding. Although they may improve the security of sections of their network to meet .secure requirements, they won’t necessarily be improving their overall security posture as a result. More importantly though, if they don’t go for a .secure domain does it mean they are defacto insecure?

This is a typical class divide. Companies that can and have .secure domains will gain very little in the long run as all their competitors will step up and move to .secure domains as well. However those that don’t either buy-in to the .secure buzz, or are unable to, may be branded as insecure through no fault of their own. The general public only see that Bank A has a .secure domain and Bank B doesn’t. Ipso facto Bank A is better?

TL:DR;

Does a company who cannot afford to pay for a .secure become insecure simply because it’s not a member? What will end-users think… if .secure sees wide adoption it doesn’t mean that those that are members are any more secure than those who aren’t members. Those that aren’t in .secure are not defacto less secure simply due to the fact that they choose, or are unable to obtain a .secure TLD.

International Ramifications

The company behind the drive for a .secure TLD are a US-based company. Normally this wouldn’t be an issue, but if recent history is anything to go by, trust in how US companies operate on an international level isn’t at an all time high.

Does ownership of a .secure TLD mean that international companies need to abide by US laws or face similar actions to those that were taken against Calvin Ayre and associates. Does the US government have the right to replace your companies banking portal with a landing page stating that you do not comply with XYZ law. Worse yet, can they reach the long arm of the US law across the border and take legal action against companies that do not comply (as they have done in the recent Canadian Gambling case).

The world is a large place, and for .secure to become anything more than a passing fad for US-based companies, these issues have to be addressed publicly.

IANAL: I Am Not A Lawyer… take these comments as my opinions and seek professional help if you have legal queries or feel like the world is out to get you!

TL:DR; 

Artemis is a US company… does this mean .secure is a US domain, and subject to US laws and procedures?

Conclusions

I’m not against .secure as an idea. Although I see some issues that need to be addressed, from an end-user perspective I can see a number of very good advances that could be driven by this. Of course, how things look and how they end up are usually very different!

There’s a lot of discussion currently about the technical issues, and I’ve purposely avoided touching on those here. There’s also some discussion of the .secure TLD being like a red-rag to a bull. Saying you’re secure worked so well for Oracle and their unbreakable after all!

Be part of the discussion… Thoughts?

Edit 1 (26.05.2012)

@digininja asked on twitter:

@ChrisJohnRiley What is the price of a .secure? You are implying on blog it is the same as an employee, is that right?

I don’t think the price is as simple to calculate as $x for the .secure domain. Just like most things, the unexpected background costs of compliance (even though the possession of a .secure domain isn’t compliance in most senses of the word) will eclipse the cost of the initial domain registration and ongoing costs from Artemis (or whoever gets the $x at then end of the day).

The costs will vary from company to company beyond whatever is imposed by Artemis for entry to the club.

Edit 2 (26.05.2012)

After digging around a little for the answers to these questions I stumbled across a page run by Alex Stamos (from Artemis) where he is attempting to answer peoples queries on the .secure TLD. You can find the .secure FAQ here if you want to take a look at the questions he’s answered already. Hopefully he’ll see the trackback and take a stab at answering the points I’ve raised here as well. Perhaps we can convince him to come on Eurotrash at some point and tell us in his own words as well!

Security

6 responses to “{Quick Post} Some thoughts on .secure

Newer Comments →
  1. Lonervamp May 25, 2012 at 17:07

    I can’t say I really like the idea of a .secure at all. It seems more like a play for money than a play for security.

    a. This makes me think about Extended Validation SSL certs. Sounds great on paper. Makes more money for CAs that sell them. Sounds like something users will get behind. In practice? Not so much.

    b. Also makes me think about badges for things like, “Secured by McAfee Scans.” Is this taken by people as assurance of security? Yes. Is it assurance of security? No.

    c. I also don’t like this on a semantics level. Penetrating something secure will happen someday. So when it does, does that ruin the image of a .secure space? Probably. And there’s certainly a big bragging rights bullseye on anyone residing in that area for attackers to target.

  2. Guest May 26, 2012 at 04:15

    The major thing I like about .secure is the fact a user will know before hand that the site uses SSL, and I would expect that browsers would implement a rule to only allow browsing to a .secure with https. This solves the problem of a https downgrade attack on the first visit to a website.

    Nothing else about the .secure TLD is good, perhaps someone else should implement a .tls TLD, where browsers will only accept TLS connections to those domains.

  3. ChrisJohnRiley May 26, 2012 at 20:07

    I can also see the technical benefits of email coming from a .secure TLD. Historically things like SPF have been checked, but not enforced/blocked incase you block something you want. If .secure TLDs are required to have DKIM, then receiving mail servers can easily specify that .secure TLDs without a DKIM can be dropped without issue.

  4. Alex Stamos May 27, 2012 at 02:02

    I will try to get some longer answers up on my blog after our three day holiday weekend, and I would love to discuss this on Eurotrash.

    As for the legal issues, IA(also)NAL but it is true that we will be subject to many different legal regimes in the same way other Internet infrastructure companies are. Artemis Internet Inc. is a California corporation, owned by NCC Group plc, with major human operations in San Francisco, Manchester and Melbourne. So we are already dealing with US, Australian, UK and EU laws without discussing the dozen or so other countries where we physically have DNS servers.

    I am a big proponent of government neutrality towards Internet infrastructure, and you can check my bona fides with the EFF and others to whom I have donated pro bono expert witness work (see EFF vs Sony BMG and Sony vs George Hotz). You will see Artemis on the forefront of companies arguing against SOPA, PIPA, ACTA and other legal instruments that obstruct the creation of a reliable, secure Internet, but in the end we will be subject to the laws of the countries we operate within just like Verisign, Neustar, Afflias, ICANN, IANA, Google, Microsoft, Yahoo…

    The security benefits we are trying to create via the Domain Policy Framework will be available to any gTLD and the .pirate folks are welcome to join the working group.

    Your email example doesn’t go far enough: .secure will require DMARC and DKIM/SPF, but will also require MXs to support STARTTLS with appropriately rooted certs and correct CNAMES. This means that all mail between .secure domains will be encrypted in-transit between exchangers, one of many small victories for personal privacy and security we are hoping to facilitate.

    TTYS, Alex

  5. ChrisJohnRiley May 27, 2012 at 08:55

    Thanks for the reply Alex, and I appreciate your efforts in driving this.

    Q: Do you see a big market in emails going between .secure domains? I would have thought that .secure domains would be the demarcation point between a company and the end-user. Although I support the requirement of using STARTTLS for emails, I’m not sure how many end-user email servers (ISP owned or otherwise) support it. I could see this as a driver for them to begin supporting it however…

    I’ll send you an email and maybe we can arrange to record an interview sometime soon!

Newer Comments →
%d bloggers like this: