Home / Blogs

Security Through Obscurity as an Institution

One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today’s phising attempts.

I don’t believe in this for a second. If we decide to ignore the fact that creating a rule-set that would identify all the worlds known financial institutions would be really hard, and the fact that a barrier entry fee would most likely keep developing countries out - a fact that goes counter to all current Internet policy related development - it still can’t be made to work.

First of all, Mikko suggest that $50,000 somehow would deter criminals. I don’t think it will, it just raises the price for production of phising sites.

Second of all, with the suggested system, a “compromised” domain that managed to get registered under this TLD would be invaluable to the criminals as it would come with automatic trust to the end-users.

Third, without a wider look at security, route monitoring, signed web-sites (why are only the part of the bank’s web-sites where I do my transactions signed?), DNSSEC etc, any form of validation at the point of registration is more or less meaningless.

No, I think the proposal is trying to reach higher end-user confidence levels through security obfuscation. This will work until the registry gets compromised (and it will), and then the effects are much worse and far reaching.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign