210 likes | 304 Views
TLD Security Forum. Thank you for joining the. We will begin the event at 9:00am Pacific Time (1600 UTC). Making the Internet Better with New TLDs Alex Stamos , CTO. Today’s Goals. To have an open , productive and professional discussion on:
E N D
TLD Security Forum • Thank you for joining the We will begin the event at 9:00am Pacific Time (1600 UTC)
Making the Internet Better with New TLDs Alex Stamos, CTO
Today’s Goals To have an open, productive and professional discussion on: The measurable, real risks of TLD delegation How we move forward together How new TLDs can make things better This is not a complaints session.
You are expecting something on SSR Total counts of name collisions are useless without context and definite risks. Vast majority of collision problems are easily fixed. Applicants need a lot of help with this. We will be publishing more detailed responses when our analysis is complete. The Internet is already a disaster. Let’s keep that in mind when weighing risks…
Isn’t everything fine the way it is? Every time a user… …enters a café …associates to the wifi …does something important online They are lying to themselves…
Why? The Internet is already a hive of scum and villainy There is no man behind the curtain helping you We do not make safely usable systems
http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdfhttp://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf
http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdfhttp://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf
http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdfhttp://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf
Do domains even mean anything? *Cisco and HSBC removed from this list
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.htmlhttp://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
We can do better Nowhere is it written that the Internet must maintain bug compatibility with the past. Your new TLD can be: More trustworthy than the incumbents More advanced than the incumbents Make the Internet a better place
What we are doing with .secure Strong Verification of Identity Community Based Security Standards Continuous Enforcement of Net, Web, Email and Abuse Policies We do not claim that these protections are appropriate for you, only possible.
Take a look at the .secure standards doc Our goal was to create a policy regime that: • Is technically specific • Is self-evident • Is remotely testable This is not everything you need to be safe Full draft to be posted soon for public comment • This is a draft, please don’t redistribute • You are welcome to use the public drafts
What would this mean for… webmail? Bob knows webmail.secure is legit Bob’s browser knows how to safely connect • HSTS, HPKP, Pre-Loaded ICA Pinning and someday DANE Webmail.secure tries hard to be safe • Net, web policies. CSP, minimization, X-* headers Bank.secure mail is authenticated and secret • DKIM, DMARC, SMTPS with .secure certs Vulnerabilities happen still, are found and fixed
Not just us webmail webmail ? bank bank broker broker .secure .example
What would that take? Base standards for interoperability Central registry of TLD standards Technical standards for advertising capabilities Continuous compliance mechanisms Unified messaging and enhanced consumer experience You won’t get a second chance, let’s talk before you launch!
Conclusion On SSR: This too shall pass Decision makers: please look at the big picture NTAG: Aim higher than what’s expected of us Use trust to delineate your TLD from the legacy experience