NCC Group has published a set of security standards that you'll have to follow if you want to operate a .trust website.
The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC Group says the rules will be used as a configuration standard for all new dot-trust websites.
For example, the DNS zone for a .trust domain should have DNSSEC resource records and answer all queries with cryptographically signed responses. This means when software, such as your web browser, looks up the IP address of a website's server from its domain name, the browser can check the authenticity of the information – and therefore thwart attempts to poison the data to redirect people to malicious servers.
And web apps served from .trust domains are not allowed to have cross-site scripting vulnerabilities nor any SQL injection holes. Servers should not host malware, or link to it. Little things like that. You get the idea.
"Given the breadth of threats and abuse that target DNS and DNS-reliant services and how damaging they are to business over (and trust of) the Internet, adherence to a handful of best practices in secure configuration and utilization can reap tremendous gains in combating threats ranging from domain hijacking through to the receipt of spam email," CTO Gunter Ollmann explained in a blog post.
NCC Group will use a range of automated scanning services to check dot-trust domain holders are adhering to its policies, with a traffic-light approach to compliance. "High" and "Critical" holes will be flagged up red, and domain holders will be given a period of time to come into compliance or risk losing their web addresses. Medium-risk security holes will be followed up, and low-risk problems will come with occasional prods.
The Domain Name System (DNS) is notoriously easy to subvert, thanks to the fact that while it is extremely easy to join up parts of the internet, it is even easier to do so without having a clue what you're doing.
The .trust policies are designed to limit various problems that can lead to malware infection and security holes in web apps; the manual also calls for all traffic to be encrypted – from HTTPS to IMAP. There are exceptions, such as using HTTP to redirect visitors to HTTPS. (It's not just the NSA that is snooping, remember.)
Ollmann is scathing about the "antiquated" security settings used by site admins today, and a checkbox culture where the mere existence of a firewall is taken to be sufficient security.
"In a world filled with weekly mega-breach announcements, re-confirming some arbitrary compliance standard or placing a third-party tick-mark logo on a website are about as comforting and reassuring as lifting up a horse's tail, slapping down a 'new car smell' scented air-freshener and calling it a sports utility vehicle," he wrote.
While some internet registries have stepped up their security measures in recent years, the explosion in new generic top-level domains – like .trust and .london – is largely taking place while many rely on the same default server settings as a decade ago (trademarks are, of course, protected up the jacksie).
Several new gTLDs plan to differentiate themselves in the market by offering that added security. NCC Group applied for dot-secure but faces the financial might of Amazon in trying to get hold of it, so it bought the right to dot-trust earlier this year. Dot-bank also hopes that its security rules will mean an end to financial institutions having to endlessly warn customers about online scams. ®