Today I’ve got a mail through one of the thousands of mailinglists I’m subscribed to and hey, the linked article in this mail is from my point of view about one of the most stupid ideas ever. The link pointed to http://www.foreignpolicy.com/story/cms.php?story_id=3798 where Mikko Hypponen, chief research officer at F-Secure wrote an article about a way how banks or better say their customers can be protected against phishing attacks. His basic idea is quiet simple:

• Make an new top-level domain called .bank or something similar
• Sell this domains for about $50′000

Yes, that sounds like a great idea, doesn’t it?

Of course it doesn’t, because it’s just as I’ve already wrote at the beginning of this posting one of the most stupid ideas ever.

Let’s think about how todays phishing attacks work. Just a few examples:

• Sending a HTML formate mail to a victim, where a link looks like http://www.my-bank.com but the link’s pointing to http://www.something-evil.com
• Register a Domain called mi-bank.com so that you can have a better chance that no one will recognize that it’s only a faked page.
• Take the domain something-evil.com and make a good looking subdomain like my-bank.com so that you get my-bank.com.something-evil.com (and of course you can encode the real domain)

I’ll stop at this point because because I think everyone gets an idea of how a phishing attack can work. Now let’s think about the idea of Mikko Hypponen when the ICANN would give it’s ok for the .bank TDL. Our domain my-bank.com will then be my-bank.bank, wow that really looks more secure. So, take the three examples and keep in mind at this point I’ve not mentioned any of the possibilities a phisher has if he finds for example a XSS vulnerability at the banks website. Example one will of course still work as good as before. Number two is a little bit more interesting because as Mikko wrote “such a top-level domain could then be restricted to bona fide financial organizations” OK one point for him but I think I’ll get back my point with example number three. There we have the thing with the subdomain but of course we can also to other stuff with our own domain, just like http://something-evil.com?my-bank.bank and now encode the first part and hey it looks like a .bank domain for normal users.

So, I think everyone should now see why I think that this idea is absolutely nonsense and just as I wrote before, if there’s a vulnerability on the page like a XSS possibility a new TDL will help absolutely nothing anyway.

You should also read the blog posting by Jeremiah Grossman who wrote his posting about the article in a really funny way