New .Secure Global TLD Proposed

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:16


A group of security experts is working to put together a new global TLD that will require companies and individuals applying for domains to adhere to strict security policies and requirements. The proposed .secure TLD is intended to be a known safe group of domains and would include mandatory use of DNSSEC, TLS for every HTTP session and other security technologies.

The .secure TLD is being proposed by a group called Artemis Internet, which includes some veterans of security consultancy iSEC Partners, and the proposal is in front of ICANN, the group that regulates TLDs. The proposed TLD would be open to anyone who’s willing to stick to the security requirements, and may be especially attractive to financial institutions and other organizations that are interested in giving customers more assurance that they’re sessions are secure.

“Artemis is working with its partners and pioneer customers to define a minimum standard that provides an excellent baseline of security without unnecessary integration or compatibility problems. While the standard is still in flux it will, at a minimum, include mandatory DNSSEC signing of every zone, the use of TLS for all HTTP sessions, DKIM and opportunistic TLS for SMTP. We will also utilize features of DPF to reduce the risk from rogue and compromised certificate authorities and to provide guaranteed email transport security between .SECURE domains,” the group says in an FAQ on its site.

“Minor deviations from our policies will result in email, phone or mail notification. Major issues such as the hosting of malware, phishing sites or serious security deficits could lead to Artemis suspending resolution of the domain.”

In addition to the technical controls, Artemis will monitor inbound reports, public and private databases for evidence of abuse by .SECURE domains and act much more quickly to resolve issues than the incumbent TLD operators.

Phishing attacks, forged Web sites, financial fraud and other security problems have done much to erode consumer confidence in the security underpinnings of the Internet in recent years. And while the use of SSL and other security technologies can protect users’ Web sessions, there are still plenty of other ways for attackers to get at users. Attacks on the sites themselves, such as SQL injection or planting malicious JavaScript for use in drive-by downloads, are simple ones but they’re still quite effective and wouldn’t be prevented by the solutions in the proposed .secure TLD.

ICANN is in the process of expanding the number of global TLDs beyond the handful of existing ones, but it’s not clear whether .secure will be approved or when.