Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday October 23 2014, @03:42PM   Printer-friendly
from the do-not-.trust-anyone dept.

NCC Group has published a set of security standards that you'll have to follow if you want to operate a .trust website.

The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC Group says the rules will be used as a configuration standard for all new dot-trust websites.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Thursday October 23 2014, @04:03PM

    by Anonymous Coward on Thursday October 23 2014, @04:03PM (#109228)

    Was going to download the pdf, but cancelled.

    It violates my policy of not running javascript for obvious trust reasons.

    • (Score: 1, Insightful) by Anonymous Coward on Thursday October 23 2014, @04:16PM

      by Anonymous Coward on Thursday October 23 2014, @04:16PM (#109233)

      And why should I embark in a potentially risky pdf parsing operation, when such guidelines could have been delivered in plain ascii?

    • (Score: 1) by TK-421 on Thursday October 23 2014, @05:06PM

      by TK-421 (3235) on Thursday October 23 2014, @05:06PM (#109253) Journal

      They make add-ons for that problem.

    • (Score: 2) by frojack on Thursday October 23 2014, @07:50PM

      by frojack (1554) on Thursday October 23 2014, @07:50PM (#109333) Journal

      The PDF does not use Javascript.
      And that is largely under your control anyway. Stop using Adobe products.

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 3) by cmn32480 on Thursday October 23 2014, @04:30PM

    by cmn32480 (443) <reversethis-{moc.liamg} {ta} {08423nmc}> on Thursday October 23 2014, @04:30PM (#109238) Journal

    But from the start it makes good bedtime reading.

    The odds are that there are a lot of things in there that are good practice anyway for running a website, and regardless of your want of a .trust TLD. It may be useful as a way of protecting sites that we manage.

    I think I shall peruse it this evening and find out if I am just kidding myself.

    --
    "It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
  • (Score: 0) by Anonymous Coward on Thursday October 23 2014, @04:55PM

    by Anonymous Coward on Thursday October 23 2014, @04:55PM (#109250)

    Some of these requirements were written by MBA's, not by people with real security skills. Here are some of the dumbest ones I found:

    Do not Attempt to Automatically Install Malware on User Machines Detected via Heuristics
    Do not host Windows executables without Authenticode signatures
    Do not host content with “dangerous” file extensions
    Filter ICMP messages traversing inbound across the network edge (including Destination Port Unreachable, which is actually important for UDP services)

    And then all the "Do not serve web applications containing ${SOME} vulnerability", for about 20 different types.

    • (Score: 0) by Anonymous Coward on Thursday October 23 2014, @06:01PM

      by Anonymous Coward on Thursday October 23 2014, @06:01PM (#109276)

      I read it more as spyware/malware guys not welcome here.

      It reads like a check list of 'dont be a dick to your customers' and 'here are some good things to setup while configuring your system'.

      • (Score: 2) by darkfeline on Friday October 24 2014, @02:24PM

        by darkfeline (1030) on Friday October 24 2014, @02:24PM (#109581) Homepage

        Except, as GP mentioned, they're pointless/badly written/misinformed/etc.

        >Do not host content with “dangerous” file extensions

        So, what? Let's say .docx is dangerous because they can contain embedded code, so as long as I don't host any files ending in .docx I'm fine? BRB, just going to `rename s/.docx/.not-docx/ *.docx` really quick.

        --
        Join the SDF Public Access UNIX System today!
  • (Score: 1) by barrahome on Thursday October 23 2014, @07:10PM

    by barrahome (3580) on Thursday October 23 2014, @07:10PM (#109309) Journal

    This is stupid. Good luck with their "business" because no one is interested on enforced policy just for a crappy domain! :P

    • (Score: 2) by kaganar on Thursday October 23 2014, @07:33PM

      by kaganar (605) on Thursday October 23 2014, @07:33PM (#109323)
      I suspect that's the point -- if I want any "crappy" domain, I could just go buy one for dirt-cheap and pop up a hazardous website. On the other hand, if I want to be Trustable Inc. that offers "trustable" online services, and ".trust" domains have a reputation for being actually secure (unlike websites only secured with mere SSL certificates), then I'd surely want a .trust domain to attract customers. This seems like a viable way to make ".trust" domains of great utility -- and high price.
    • (Score: 2) by edIII on Thursday October 23 2014, @08:52PM

      by edIII (791) on Thursday October 23 2014, @08:52PM (#109358)

      I am. Very interested.

      All the new .TLDs are intensely stupid and just a huge money grab against businesses with "Internet presence" budgets. That being said, .trust is pretty hot. If the new TLDs are going to come into use, all sorts of things like this are going to happen. It will devolve into moderated subreddits with members able to afford the financial raping by the interests controlling DNS.

      Forcing something akin to DSS-PCI compliance in order to qualify for the domain is a big deal. If you do that, and have regular spot audits, you have quite a product on your hands. Instead of goofy little badges at the bottom of the screen, you have a domain itself indicating trust. That's the kind of trust you can count on at the command line. You don't need to run a statement and grep for SSL security and certificate statuses. If you entered .trust properly, and your DNS is operating correctly, you can rest assured that all connections to .trust servers are following those security standards and are audited regularly.

      I want a pony.

      I remember that .NET addresses were *only* supposed to be for network operations are what not, and that .ORG were only supposed to be used for non-profits. Truthfully, I barely remember the rules because *nobody* ever followed them all the way back in '97. I even remember being told by the person helping me get my domain, "those are the rules, but nobody is checking anything anyways". Since '97 nobody has ever checked my domains to see if I was in compliance. Maybe they would for a .US or a .BIZ, but I never drank that kool-aid, and most businesses I know only ever went as far as .COM/.NET/.ORG.

      If nobody is following the rules for the parent organization, why do I really believe that this organization will enforce rules against their *paying* customers, that will need to continue paying?

      That .trust domain better be on the fucking Super Bowl if they want businesses to swallow that marketing copy. It's not impossible for this to work, just massively improbable.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
  • (Score: 2) by marcello_dl on Thursday October 23 2014, @08:52PM

    by marcello_dl (2685) on Thursday October 23 2014, @08:52PM (#109359)

    ... I wanted to register zero.trust :(