In my previous post, I commented on the proposed “.Bank” TLD. Since then, F-Secure has defended their proposal in their blog, addressing many of the key issues I commented about.
Here is what they had to say about users still being fooled the new addresses:
The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users’ software to work better. Security software and browser tool bars would essentially have a “white list” to work with.
Yes, .bank would help browsers know whether a site is legitimate or not, but users would have to look for something in their browsers. If the EV-SSL certificate message below isn’t clear enough, what could web browsers possibly say that would be?
F-Secure addressed the issue of EV-SSL certificates as well:
We’re not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There’s no way to know if a site has a high-security certificate without visiting it.
True, but EV-SSL certificates identify web sites while also assuring security in transactions.
What about a compromise, a variant of EV-SSL certificates just for financial institutions, a FI-EV-SSL Certificate? This wouldn’t give much additional benefit. One must prove they are a legitimate business to get an EV-SSL certificate anyway.
I’m still not convinced “.bank” is worthwhile, what do you think?