I suppose I should probably weigh on on my feelings on the .bank TLD proposal. I kept my tongue hoping that someone would come out and explain what they thought it would solve, and I’m glad I did. Mikko from F-Secure finally published a writeup on why it should go through to ICANN. It was actually a pretty well thought out reply. I’m not going to summarize the post - go read it and come back, I’ll wait.
Now that you’ve read it, here are my thoughts. Yes, .bank will solve some heuristics problems. No, it won’t solve all of them. Banks hiring external marketing departments, regional divisions, loan offices, etc… etc… that all are owned by the parent will not be able to afford their own .bank TLD and will not be protected. Piggybacking off the parent URL is an equally bad idea for XSS phishing attacks. And if the banks allowed external organizations to piggyback how wold that solve your problem of extended validation of the site? Anyone have any guess as to how much money external marketing companies spend on server sercurity? Anyway, it does solve a few issues for heuristics, but it also creates a lot more. (Does this sound at all like why companies were told to buy EV certs? Has that worked for them? Why are we doing this twice?)
Banks have spent a lot of time and energy into making online presences. They can’t switch over to a new TLD on a dime. Sure, they will because they are told it’s the right thing to do, but it’s certainly not an overnight process. How much money are they going to spend buying the domains, re-tooling their websites, re-branding them and re-educating their own staff and their customers?
.bank does not apply to some of the most heavily phished sites out there, like Amazon, eBay, PayPal, AOL, MySpace and a host of credit unions. I see where they are going with this, but it’s a slippery slope. Just because you get phished a lot doesn’t earn you the right to have a .bank TLD (because that is the exclusive domain of banks, of course). While it may earn you a right to have a .dontphishme TLD every site on earth that does electronic transactions is going to want that.
Probably my biggest problem with this, is that these companies each spend a ton of money in education, and promoting their brand. For them to switch their TLD would work against all those dollars spent, and ultimately wouldn’t prevent blind redirects, XSS phishing, or just plain old URL obfuscation. Yes, it would make detection slightly easier, but by how much? An order of magnitude? I highly doubt it, and even if it did, is the problem not being able to detect the phishing sites well or is our problem not being able to take them down quickly enough? I think it’s the latter, and I don’t think a .bank TLD or any other derivative is going to solve that issue.
While I applaud the creativity, I really don’t think it does enough to warrant it going through. But I have no doubt where there’s a will there’s a way and it will go through despite my opinions. I know people mean well with these types of proposals, but I think there’s a lot more going on here than just detection. Yes, detection does need to be improved, but there’s tons of ways around detection and phishers have not had resort to that (minus a few experiments).
To me that means we are a long way from having to worry about the detection portion of the attack and if people want to put a dent in it they should instead focus on building better extradition treaties and tougher international cybercrime laws with all countries. Currently it can take days or weeks to get phishing sites taken down because there is no political pressure to do so in certain areas. I believe people would be much better suited in solving the take-down issue than creating a new .TLD that excludes more phished domains than it protects.