Tag Archives: fTLD Registry Services

.BANK and .INSURANCE To Be First New gTLDs to Implement HSTS… After Google

.fTLD Registry Services has announced they will be implementing a security protocol known as HSTS – HTTP Strict Transport Security – to their .bank and .insurance new gTLDs. They will be the first registry to implement HSTS across an entire top level domain outside of Google.

Implementing HSTS at the TLD level means all domain names registered under it will be secure and there will be secure connections between web browsers and all .bank and .insurance websites. As a result, domain name registrants and customers will automatically receive the security benefits of HSTS without needing to take any additional steps to be covered.

fTLD’s new generic top level domains will be added to the preload list on 18 January. Once added to the list, leading web browsers will honour the policy in subsequent updates, including Chrome, Firefox, Internet Explorer/Edge and Safari.

“The HTTPS Strict Transport Security (HSTS) preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera)”, explained Google in a post on their security blog, and reported in Domain Pulse in October 2017. “It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types http://gmail.com, the browser first changes it to https://gmail.com before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.”

“The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy. In 2015 we created the first secure TLD when we added .google to the HSTS preload list, and we are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev.

“The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.”

HSTS is a step on from HTTPS. “Connections to websites are encrypted using HTTPS, which prevents Web traffic from being intercepted, altered, or misdirected in transit. [Google] have taken many actions to make the use of HTTPS more widespread, both within Google and on the larger Internet.”

Google started “defaulting to HTTPS for Gmail and starting the transition to encrypted search by default” in 2010. “In 2014, [Google] started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, [Google] became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year [Google] announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine.”

And going forward Google “would like to see TLD-wide HSTS become the security standard for new TLDs.”

American Banker Outlines New gTLD Adoption Challenges, But One Bank Says It’s a “No Brainer”

Adopting a new gTLD domain name, or even changing a domain name, is not without its challenges. There are costs for changing promotional materials as well as the transition of websites and email addresses for staff. And customer awareness of the change may not be so straightforward.

In an article in American Banker, it focusses on the challenges for .bank. The main bank featured, Farmers & Merchants State Bank in Archbold, Ohio, switched from a .com to .bank got a handful of phone calls wondering where there website had gone. One wonders if they did a redirect – the article doesn’t say.

There were also some customers that thought where a sentence ended with “.bank” in some promotional materials that “the last period was part of the web address, instead of perfect punctuation.”

“We had to rework the sentence,” J. Marty Filogamo, the bank's marketing manager, chuckling, told American Banker.

According to the article a few hundred institutions have made the transition to a .bank domain name, a new generic top level domain that became available in mid-2015.

According to the article, “as Filogamo sees it, the bank’s conversion — which also included changing employee emails — was worth the work because it sets the bank apart and will help assure customers the bank is what it said it is online. The subtle change, after all, is meant to convey credibility, much like a FDIC seal does.”

As Filogamo sees it, the bank’s conversion — which also included changing employee emails — was worth the work because it sets the bank apart and will help assure customers the bank is what it said it is online. The subtle change, after all, is meant to convey credibility, much like a FDIC seal does.

To be eligible for a .bank domain name, one has to be a verified financial institution, which is verified by the registry fTLD Registry Services and “its partner Symantec. The mandatory verification and re-verification of dot-bank domain registrations also requires those who switch to the extension to follow security safeguards, such as obtaining a digital identity certificate.”

There are a number of reasons that those that have registered a .bank domain haven’t started using it. According to nTLDstats.com there are currently around 2,900 registrants.

One that has registered a few .bank domain names is Mercantile Bank in Grand Rapids, Michigan, who “bought a few of the domains to lock down availability, but the innovative bank has no short-term plans to convert to a new address because of the marketing expense and concerns about customer impact.”

“I am not sure when and if we’ll do it,” John Schulte, Mercantile Bank’s chief information officer, said in an email to American Banker.

Shirley Inscoe, a senior analyst with the research firm Aite Group, told American Banker a number of bank execs are still evaluating whether to make the conversion. On one hand, the project has many potential benefits, including added security. On the other hand, the project requires training consumers on the significance of a visually subtle change, and even then, people could still fall victim to spoofing and phishing attacks coming from a dot-com address.

For other banks, converting the domain name may just be a matter of getting to it. Since dot-bank became available in 2015, Inscoe said, banks have been buried in major IT projects, such as EMV rollouts and faster payments. “It’s a prioritisation issue I think,” Inscoe said.

But fTLD is hoping this will change.

Drew Schiff, director of engagement services at fTLD, said in the article that early movers were motivated for a variety of reasons, including the opportunity to own a unique, shorter URL or strengthen security. Others who defensively grabbed domains have been waiting because of concerns about costs and time required on what Schiff describes as “perceived complexity.”

But in the last three to four months, Schiff said, there has been a substantial increase in interest from its registrants to complete their migration to .bank.

“It’s trending up and in the right direction and that’s what we want to see it,” said Craig Schwartz, managing director of fTLD Registry Services.

Farmers & Merchants viewed its .bank domain as an investment that would add one more layer of security as cyberthreats continue to soar.

“Bad guys are always looking for a way in,” said Mike Hess, the bank’s IT systems administrator.

So the bank tied its change to the new domain with the launch of its new website, which other banks have also done. Another to tie its move to a .bank domain was Lead Bank in Garden City, Mo.

The .bank domain was a way to help distinguish the community bank in a new market, Melissa Beltrame, director of marketing at Lead Bank, told American Banker. She also saw it as a way to boost Lead Bank’s security and prove that small banks aren’t tech laggards as some suggest. Beltrame likened her bank’s .bank investment to a flu shot — it may not stop everything, but it strengthens the bank’s defences.

One problem the bank faced was their emails with the new domain ending up in spam filters, which was fixed. But the bank didn’t lose SEO value and consumers weren’t confused. “If anything, it created a sense of curiosity,” she said. They also managed to shave a few characters off their original domain name.

The article concludes with Beltrame saying she realised bank silos may be one reason more banks haven’t converted domains, however she is perplexed that Lead Bank is still an early mover two years after flipping the switch.

“I can’t figure out why more banks don’t move to dot-bank,” she said. “It seems like a no-brainer.”

Request for Proposal to Allocate Reserved Names

BANK gTLD logofTLD is permitted by ICANN to reserve names, which it may use for itself, allocate in the future per the mechanisms enumerated in its Name Allocation Policy or keep permanently unavailable for registration. fTLD has reserved names comprised of Common Community and Generic and others such as single-character and two-letters.

fTLD’s Reserved Names Challenge Policy provides a process for an eligible entity to request allocation of a Reserved Name or to challenge a Reserved Name allocation and this information is about the former. The process requires the requestor to first file a complaint with fTLD and provide evidence to support their right(s) to the domain name and fTLD will attempt to resolve the complaint internally. If fTLD is unable to resolve the complaint, the requestor may submit a challenge to the National Arbitration Forum (NAF).

The outcome of a successful challenge either with fTLD (or NAF) is the removal of the name from the respective Reserved Names list and potential allocation of the name by one of the mechanisms in the Name Allocation Policy. A successful challenge with fTLD does not result in the requestor being awarded the name, but rather gives them an opportunity to compete to receive it.

On August 4, 2015, fTLD was authorized by ICANN to release specific two-letter names in .BANK (the available two-letter names are referenced in the related RFP Process link below). fTLD will release applicable two-letter names as well as all single-character names as Premium Names, which will be subject to fTLD premium registration and renewal fees and therefore, you should consult with your registrar on their fees for such names.

RFP Process – Name(s) Successfully Challenged in the Reserved Names Challenge Policy

RFP Process – Single-character and Two-Letter Names

Archived RFP’s

  • Issued: September 30, 2015 and closed on November 6, 2015 for the following names: american, associated, mercantile, northwest and savingsinstitute.

This fTLD announcement was sourced from:

Daily Wrap: Registrars Object To .BANK Demands, SIDN Rebrands, 2015 Record Year For .PL, Rightside Investor Wants Major Changes and Drown Bug Puts 11 Million Websites At Risk

SIDN transition logoRegistrars have objected to what they describe as unreasonable demands on new rules fTLD Registry Services are trying to impose on them for selling .bank domains.

According to a report in Domain Incite, “the Registrar Stakeholder Group formally relayed its concerns about a proposed revision of the .bank Registry-Registrar Agreement to ICANN at the weekend.”

“A key sticking point is fTLD’s demand that each registrar selling .bank domains have a dedicated .bank-branded web page” with some registrars saying it will “require extensive changes to the normal operation of the registrar.”

The Polish ccTLD, .pl, had its best year ever in 2015 in terms of the daily average number of .pl domain name registrations, according to the NASK’s report on the .pl domain name market for the fourth quarter. At the end of December the .pl domain Registry, with nearly 2.7 million names, was the eleventh largest ccTLD in the world.

Last year the daily average was 3,068 names .pl domains registered compared to 2,818 in 2014. 2015 was the sixth year that the number of new .pl domains exceeded one million, with 1,119,896 new domains registered. The total number of .pl domain names registered at the end of 2015 was 2,681,752.

“In accordance with the prognosis, the 2015 year was one of the best year in the history of the Polish Registry. Over the last twelve months the .pl Registry attained a record number of new registrations,” said Michał Chrzanowski, the Director of NASK.

“The annual growth dynamics for the end of December resulted with 6.23%, being the highest value for the last four years. At the same time the number of Registrants in the Registry grew last year by 60 thousand, thus the barrier of one million Registrants has been exceeded.”

The report is available for download from:

SIDN, which started life as the registry for .nl (Netherlands) is rebranding to take into account that they now provide registry services for additional TLDs – .aw and .amsterdam and most likely later in 2016 .bv.

Additionally, through a partnership with Simplerinvoicing, SIDN is taking their first steps as a trust framework manager.

The new branding has more colours than a rainbow and the organisation says the “new logo expresses the stability and reliability of our organisation, with an array of colours reflecting the diversity of our activities.”

SIDN has “also decided to use a less formal style of writing. One that suits the modern, accessible organisation we want to be.”

Rightside has upset one of its major investors, with “a hedge fund manager known for causing trouble at the companies he invests in [savaging] Rightside, saying its focus on new gTLDs at the expense of its registrar business is ruining the company,” according to a report in Domain Incite.

The report says “J Carlo Cannell of Cannell Capital is looking for some serious bloodletting. He wants Rightside to cut 20% of its staff, close offices, unify its products under the eNom brand and replace two of its directors.”

“He’s threatening to wage a proxy war to replace the Rightside board if he doesn’t get what he wants.”

“A major flaw in the HTTPS protocol has been uncovered that may leave as many as 11 million websites at risk, as well as any other services that use SSL and TLS encryption,” reports V3.

“The security protocols are widely used to encrypt web transactions and other highly sensitive traffic. HTTPS has also been increasingly deployed to protect people’s browsing of ordinary websites in an era when more and more governments are engaging in large-scale web surveillance.”

“The flaw, dubbed Drown, could be used to access all kinds of sensitive information, the researchers explained in a detailed posting on a dedicated website.”

More information is available from:

Daily Wrap: Verisign and XYZ in Dodgy Deals, Domains Becoming More Relevant and Who Should Use New gTLDs

dotXYZ logoVerisign and the .xyz registry operator XYZ.com have both come off looking a little stupid following a recent court case whereby the .com and .net registry operator took XYZ.com saying they both looked a bit dodgy, according to a recent Domain Incite report.

“Explaining his dismissal of Verisign’s false advertising lawsuit against .xyz registry XYZ.com, Virginia judge Claude Hilton today said that XYZ.com’s statements about its registration numbers were ‘verifiably true’.”

“At the same time, he confirmed that they came about as a result of a bullshit deal with Network Solutions to bolster .xyz’s launch numbers.”

“That bogus deal enabled XYZ to report big reg volume numbers without actually, legally, lying.”

He may have a bit of bias since he’s the Managing Director of fTLD Registry Services, the operator of .bank, but Craig Schwartz argues on The DNA blog that domain names are increasingly becoming more relevant, not less.

Schwartz argues in part that “in many ways, a website’s domain name is a critical component of the [customer] introduction.”

“As we are painfully aware, cybersecurity breaches have increased significantly in the past decade, causing financial and perhaps even reputational, losses for brands that are not at the forefront of anti-cyber attack practices (and even some which are). Yet consumers across the globe still continue to conduct business online. As such, they are looking for brands to take the lead in ensuring a safe virtual experience.”

Schwartz then concludes “yet the foundational structure for a brand will always harken back to a website, anchored by a relevant domain name.”

Who should be using new gTLDs and when? That was a question the European Domain Name Centre asked of various industry participants recently. Reasons given include the ability to get a good domain, memorable name that isn’t available in often preferred TLDs, a regional gTLD can tell website visitors that you are providing services to that particular region, regional gTLDs can assist with targeting a wider customer base, underline a local heritage such as with the .wales and cymru gTLDs, assist with search rankings in local geo-gTLDs.

Applications For .BANK Domains From Financial Institutions Tops 5,500

BANK gTLD logoThere have been more than 5,500 applications for .bank domains from the global banking community, fTLD Registry Services announced.

Top locations for .bank registrations have come from banking institutions across the United States, as well as countries including South Africa, the United Kingdom and Spain.

And there are already early adopters such as Kansas City-based Lead Bank that has switched their main site from a .com domain, citing the enhanced security features of the domain, including strong encryption and verification requirements, as a key driver of the decision to transition.

“Lead Bank is committed to providing the very best service for its clients, and moving from a .com to a .bank URL was a strategic decision for us,” said Josh Rowland, vice chairman of Lead Bank.

“Understanding that a .bank domain would ensure additional security of clients’ information, clearly indicates valid bank URLs for clients, and give Lead Bank an opportunity to present itself to potential clients as an innovative, forward-thinking bank, made migrating domains very appealing. While we are a small bank, we want our clients to have confidence that we are leading the way when it comes to providing the most secure and efficient technology to our clients.”

fTLD Registry Services has also released “A Guide to Leveraging .BANK ,” a framework of communications and educational recommendations for banks adopting the new domain. The guide outlines communications framework for the use of .bank to employees, customers and other stakeholders , as well as ways to educate executives, IT teams, marketers and vendors about .bank’s enhanced security requirements.

“The strong demand for owning a .bank domain , since the new web extension was launched last month, shows that banks recognise that the security offered by . bank will be a critical tool for protecting their customers’ proprietary information,” said Craig Schwartz. “To customers who visit a .bank web site, the look and feel will be similar to that of other websites, but the use of . bank will signal their bank’s commitment to online security.”

All applications for .bank web addresses are verified by Symantec as part of the domain’s enhanced security requirements. This ensure s that only banks and other organisations that are eligible for a .bank name are granted one . Symantec has completed more than 2 ,000 verifications and .bank names are reserved for the banks that submitted the applications until the verification process is complete .

.BANK Commences GA With Trust For Banking Customers At Its Heart

BANK gTLD logoAs the new gTLD roll out rolls on one that has trust and security at its heart launched its General Availability today (24 June). The .bank gTLD became available for the global banking community and is intended as a way internet users can be sure their financial institution is legitimate.

“For .bank, the level of security provided is crucial. Consumers need to be absolutely certain that their personal and financial details are safe,” said Gunter Ollmann, CTO of NCC Group’s Domain Services division.

“Open generics aren’t good for businesses or customers alike unless security has been given the utmost priority.”

“The Technical Policy that we created for the .trust domain is a benchmark that they should be looking at. Network, web application, email, malware and DNS risks all need to be covered.”

.Bank is operated by fTLD Registry Services, LLC—a coalition of banks, insurance companies and financial services trade associations from around the world—to ensure it is governed in the best interests of banks and their customers. fTLD has a deep understanding of the banking and insurance communities, their customers’ and their institutions’ needs.

fTLD was granted the right to operate .BANK on September 25, 2014, and .INSURANCE on February 19, 2015. All applicants will undergo a thorough verification process before being awarded a domain and must comply with strict registry policies. Verification of the eligibility of registrants will be undertaken by Symantec.

fTLD Registry Selects Symantec as Verification Agent For .BANK

Verifying that domains registered in new gTLDs such as .bank and .insurance are genuine and not some sort of scam, and to gain the trust of potential registrants and internet users, is an issue to overcome for such gTLDs. For .bank and the pending .insurance, to be operated by fTLD Registry Services, the job has been given to Symantec Corporation.

In this role, Symantec will add a layer of protection to the new domains by verifying the eligibility of companies requesting domain names, making sure the person requesting the domain name is authorized by the company and ensuring the name requested by the company complies with fTLD’s policies.

“The cornerstone of consumer trust in ‘.bank’ and ‘.insurance’ is ensuring that only verified members of the banking and insurance communities are permitted to register domain names,” said Craig Schwartz, managing director of fTLD. “Symantec is the market leader in verifying the authenticity of organisations and we are confident in their ability to uphold our strict standards.”

fTLD announced they selected Symantec following a public request for proposals process in April 2014. Symantec is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere.

fTLD is owned, operated and governed by members of the global banking and insurance communities. For more information, see ftld.com.