A security researcher has won investments of more than $9 million to incorporate a tightly policed section of the Internet reserved for banks, healthcare providers, and other groups that are regularly targeted in malware, phishing, and similar online attacks.
Alex Stamos, CTO of iSec Partners, said Internet addresses subscribing to the secure service would tentatively include the top-level domain of .secure, which his new venture has applied to operate. Websites, mail servers, and other services using .secure addresses would first have to agree to abide by a stringent set of requirements, including offering end-to-end encryption of most traffic and to follow a strict code of conduct. Artemis Internet Inc., as the new venture is called, has received about $9.6 million in backing from its parent company, NCC Group, a UK-based provider of secure IT services.
Anonymity and the Internet’s free-wheeling ways have been great for free speech and innovation, but they also open the door to impostors and website operators with poor security hygiene. With plans by the Internet Corporation for Assigned Names and Numbers to vastly expand the availability of top-level domains, security advocates have an opportunity to build the type of global network they’ve long dreamed of.
“This is our opportunity to make our mark and do something to improve the security of the Internet permanently while it’s still a bit malleable,” Stamos told Ars. “We have a chance to create a neighborhood on the Internet where security is required, and users know that. We have the ability since we’re starting from scratch to have a floor.”
Sites that wanted to be a part of this exclusive domain would have to undergo rigorous screening to verify their identity. Physical addresses, trademark registrations, articles of incorporation, and other legal documents would be reviewed by human beings. Upon approval, applicants would receive two-factor authentication hardware to register online. They would also be required to meet a minimum set of security practices, including end-to-end encryption of virtually all Web and e-mail traffic. Web data sent over the unencrypted port 80 could be used solely for redirection to HTTPS-protected addresses, and mail servers would be required to use what’s known as opportunistic transport layer security, which uses the TLS protocol to encrypt data before sending it to destination servers.
Sites with .secure addresses could mandate even stricter controls if they want, and could rely on the service’s domain name system to automatically enforce them with end users and other sites. For instance, sites could specify which authorities are or are not allowed to sign their SSL and TLS certificates, a measure that would prevent the types of certificate forgeries used last year to snoop on some 300,000 Gmail users, most of whom were located in Iran. Artemis is a member of the recently established Domain Policy Working Group that’s working on a set of technical specifications that would allow domain owners to automatically enforce such measures. Additional members, which Stamos said includes “major Internet companies,” will be disclosed in July.
Artemis will continually scan .secure addresses to see if they’re hosting malware, phishing, or other nuisance sites, and those that are will be disconnected. Domain owners will be given a chance to clean up their operations and be reconnected, but repeat offenders will be banished.
The creation of a gated community on the Internet is a thought-provoking idea, and to be sure, the .secure domain isn’t the first time it has been floated. In many ways, it goes against the ideals of inclusion that have made the Internet what it is today. At the same time, the Net’s lack of accountability has often made it trivial for criminals to masquerade as banks and other trusted resources, and a lack of agreement about minimum levels of security that should be offered often allow hackers to penetrate site defenses. The service being floated by Artemis may be a way to let the free market create what so far has been out reach of Internet engineers and marketers.
A lot still has to happen before a TLD like .secure becomes a reality. Ars will be watching with interest to see if it can achieve the lofty goals it aspires to.