Shostack + Friends Blog Archive


.BadIdea, Mikko

Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains.

I have three problems with this:

  1. Crooks are already investing in their attacks. If that money will have a high return, by convincing more people that the URL is safe, then crooks will invest it.
  2. Some banks, such as credit unions, can’t really afford $50,000 for a domain name, and so won’t have one. (Thanks to Alex at, “
    .bank TLD, An Idea Whose Time Has Come?

  3. Finally, and most importantly, it won’t work. People don’t understand URLs, and banks create increasingly complex URLs. The phishers will make and people won’t understand that’s bad.

The easy solution to preserving the internet channel against phishers is to use bookmarks. But that’s too simple for anyone to make money at it. Certainly, no one’s gonna make $50,000 a bank. That money is better spent on other things. .Bank is a bad idea.

[Updated: See also, “more .shenanigans” at Matasano, and “New .TLDs: Panacea for Security?” at SecureWorks.]

5 comments on ".BadIdea, Mikko"

  • Mordaxus says:

    I’m not sure how I feel, Adam. If by “It won’t work” you mean that it wouldn’t be a 100% solution, I agree. But if you mean that it would be a 0% solution, I disagree.
    I think a .bank TLD is a fine idea in abstract.
    I think that your (2) is a valid complaint, and if a credit union couldn’t get a .bank domain, then that would be in my opinion a reason to oppose it. However, there is no reason why the policies behind the .bank TLD couldn’t allow for credit unions or microfinance organizations in the third world or whatever can’t get them. There’s no scarcity that requires this.

  • Adam says:

    I think it will be a

  • I would be very careful with argument #1… the fact that a more secure attribute becomes a more valuable target, which becomes a more valuable target is true, but not a good argument against securing the channel. The trick is to come up with a good model of the ultimate equilibrium… do the costs of securing the url channel (including the harms of small banks) actually produce enough benefits to reduce phishing? Phishing research is hard, but this seems like something that might be possible to test, although I’m no expert in experimental design.

  • It’s useful to throw these ideas around … .bank won’t work, or, if it did, why did all the URL based stuff fail in the past?
    I wonder (more loudly on the blog) whether the secure bookmark is an idea who’s time has come? I see it as significant that many if not all of the independent research people have come to this conclusion.

  • Justin says:

    I initially thought it had promise, but was swiftly disabused of the notion — see Joe Stewart’s great followup:
    my thoughts: to date, we’re still seeing emails from banks where they “launder” their links through third-party click-tracking companies, indistinguishably from a phisher attempting to obscure the targets, and they still send mails with links to innumerable no-reputation domains instead of using their well-known home domains.
    While the banks act so ineptly, they’ll create user confusion and they’ll be phished — new TLD or no new TLD. The banks need to cop on, basically.

Comments are closed.