An Internet startup wants to create a new “.secure” domain so people won’t have to worry about security on .secure sites. The problem: If Web surfers don’t worry about security, the .secure sites won’t be secure.
The .secure idea was put forth by Alex Stamos (who is probably not related to John Stamos, and even if he is that would have nothing to do with this post, but it would be interesting in a “isn’t that odd” kind of way, right?) who is CTO of Artemis Internet and “is trying to make the Internet safer via the .SECURE namespace and the Domain Policy Working Group.”
While it is always tempting to paraphrase someone’s argument for my own nefarious needs, I will instead let the man speak for himself:
One of the key goals of .secure is to invert the user’s security experience. The human does not exist to serve the software. Why does the user politely ask “I would like to go to my bank” and then need to interpret the 21st century pixelated entrails to determine if they arrived at their destination safely? The user is in charge; they tell the software what they want, and it’s our jobs to make the software listen.
In my view, .secure is not a category, it is an expression of intent. When a user types bank.secure, they are not saying “I want to go to the bank in the category of secure”, they are saying “I want to go to my bank securely”. That means that all of the software standing between them and their destination needs to understand this intent, and then make the thousands of small decisions needed to make it so. .Secure and the Domain Policy Framework are not the only ways to make that happen, but I believe they are the most expedient.
Most of us just assume that the companies we do business with online are secure, especially online banking sites. If we didn’t we wouldn’t be doing business with them. If they aren’t secure then they’ll eventually have to face the legal consequences.
Just as in the physical world, I am responsible for getting myself to the bank securely. I don’t run around with money popping out of my pockets, and I don’t use random Internet connections to connect to banking sites. That’s my responsibility. Just like it’s my responsibility to know if I live in a place where my doors need to be locked or I can leave my car keys in the ignition at night. Users should be able to take some parts of online security for granted, but other parts are–and should be–the user’s responsibility.