A security startup called Artemis Internet has proposed a new “.secure” top-level domain that would require Web sites using the domain to maintain stringent security practices.
The goal is to offer a place on the Web where sites have higher security standards and Web surfers can have more faith that their data and communications will stay out of the hands of malicious hackers and criminals.
“Right now software and security engineers are really bad at building good user experiences,” Artemis founder Alex Stamos said in an interview today. “It’s time for us to take responsibility and make (Web security) automatic for people. You can’t do that on the Internet now because of backward compatibility issues.” So Stamos wants to create a new area on the Web built specifically for security. He goes into more detail in this blog post.
Stamos also is working on new Internet domain standards, dubbed the Domain Policy Framework, designed to bring advanced security features to browsers and Web communications and which can be used by any top-level domain.
The .Secure registry will require registrants to submit identity documentation and will take steps to verify identities. Registrants will have to agree to a code of conduct and meet strict security standards, including using beefed up authentication and encryption with Domain Name System Security Extensions (DNSSEC) and Transport Layer Security for all HTTP sessions and between e-mail servers. The .Secure registry will also scan sites to see if they are hosting malware or phishing attacks.
“There will be sites that get hacked in .secure and we’ll have to deal with that,” Stamos said. “But when that happens it won’t be because of something simple…. If you have a SQL injection vulnerability on your front page we’ll give you a reasonable timeframe to remove it or your site will disappear.”
“Man-in-the-middle attacks will be very difficult even if a stolen certificate is used. A limited number of Certificate Authorities will be allowed to create .Secure certificates,” he said. Meanwhile, “there will be no typo squatting, nobody pretending to be who they aren’t.”
Independent researcher Moxie Marlinspike, whose research has revealed serious flawsin the way domain names are verified on the Internet, complained that the .Secure plan won’t solve an underlying problem that arises from putting trust for digital data and services into the hands of commercial entities subject to the whims of various governments and which have lax security practices.
“As bad as Certificate Authorities are, DNS-based security mechanisms like DANE and DNSSEC are worse,” he wrote in an e-mail. “They are the ultimate expression of a lack of agility. If we sign up to trust the organizations who manage that infrastructure, we’re signing up to trust them forever; without any opportunity to change our minds in the future, and without any incentives for them to continue warranting our trust.”
Stamos said both approaches can work simultaneously. “We will continue to utilize the trust mechanisms created by DNSSEC, and Moxie can build a decentralized system to monitor keys and records as seen around the world and detect when governments are playing tricks,” he said. “In the meantime, the normal Internet user (one that does not count the U.S. Government as an adversary) would be much safer if they spent most of their day on .secure domains.”