Recently, Mikko Hypponen proposed the idea of a .bank top-level domain extension as a way to combat phishing attacks (see 21 Solutions to Save the World: Masters of Their Domain). The proposal garnered some significant interest including two Slashdot threads: A Foolproof Way To End Bank Account Phishing? and F-Secure Responds To Criticism of .bank.Since phishing is a topic that I spend a considerable amount of timethinking about, I thought I’d spend some time considering the benefitsand drawbacks of Mikko’s proposal.
First, let me summarize my understanding of the proposal. The ideawould be to have a top-level domain along the lines of .bank (inaddition to top-level domains like .com, .net, .gov, etc.). Further,only legitimate institutions should be allowed to use the .bank domain.Ownership of sites on this domain can be further restricted by charginga sizeable fee (for example $50,000 a year) to anyone who wishes tooperate such a site. These restrictions should keep illegitimate peoplefrom operating a site on such a domain. So, the argument goes thatanytime you see a site on the .bank domain, you can trust it.
Now let’s consider the challenges: