Data Center Hub

Mikko Hyppönen of F-secure has suggested that a new top level domain such as .bank or similar would help alleviate problems of phishing attacks against financial institutions.

Unfortunately the suggestion is a solution which does not cure the actual problem: DNS is insecure. This new top level domain has been the subject of much heated debate, and of course much criticism. I believe I have to count myself in on the criticisms side of the debate at the moment. After reviewing some of F-Secure’s rebuttals of the criticisms, here are some issues I have with the suggestion which F-Secure have not yet addressed. Some of the following are quoted from the F-Secure web log and followed with my own comments.

A new top-level domain will not solve the phishing problem once and for all, so it’s not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

    While it is true that some domains are more trustworthy than others (for example.info domains appear to have the highest level of phishing sites on them ), creating a new top-level domain does not actually solve the problem of phishing-it merely creates yet another domain and as such it is dependent upon a weak DNS system. In fact DNS shows up in the list of top 20 Internet Security attack targets for 2006.

This initiative won’t move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

    Of course the sponsoring organization could officially propose this to ICANN; however, ICANN is not a regulatory agency or governing body. Even know there is presently a .pro domain for doctors and other professionals, creating a .bank domain or another authenticated top level domain does not correct the problem of phishing any more of than a new coat of paint will make a house hurricane resistant.

I do believe the suggestion for a new .bank domain is well intentioned and I don’t question the motives of that- however any new solution which doesn’t correct the actual problem it attempts to solve is not a move in the right direction in my opinion. I believe the move of requesting ICANN to expand its authority is one of the main reasons not to ask ICANN to create a .bank TLD. Given the present state of the domain registration business, there’s no way that a data bank top level domain could be sufficiently authenticated given that there will be likely registrars issuing the domain and not ICANN itself. It is not possible for a TLD such as .bank to be run in the same manner as the .gov domain. There’s not a governing body for domain registration yet. Perhaps the banks themselves can create a group and petition for the TLD but this involves investing money on speculation- something most banks are loathe to do.