The .Trust Club: Meet the Security-Loving Freemasons of the Internet

The Freemasons, for all their mystery, actually sought to make the world a better, safer place, albeit a God-fearing one defined by Christian doctrine. The group was (and still is) also notoriously elitist—the poor were certainly not welcome, and the rich and powerful dominated. Regular monetary donations to the cause were an uncodified necessity.

Imagine if a similar organisation hit the internet, hoping to make the web a better, safer place, but with similar restrictions on who was allowed in and demands for significant regular contributions. Imagine no longer. Plans to launch the .trust domain, formally announced today, aim to create a “gated community,” in which the only businesses allowed to use the domain are those that can prove they can protect users’ data.

But it’s more like a club than a community, one that requires applicants to have a good deal of money to join and to prove they are responsible enough for membership. Even before paying the $25,000 sign-up fee, applicants have to wait and see if the NCC Group, a Manchester-based security testing firm that will act as the registrar for the domain, will send them an invite. Once accepted, it’s $150,000 a year to stay in the club.

Rather startlingly (to a humble journalist at least), NCC CEO Rob Cotton tells me that is relatively “inexpensive” when considering the brand opportunity .trust offers, in letting customers know they can rely on websites to secure their information. He thinks even startups should be able to afford it, and should invest if they’re in the retail game.

Cotton dismisses concerns this cost might lead to a segregated internet, one where only those who can afford the fee will be welcome in the circle of trust. Dr. Geraint Price, from Royal Holloway’s Information Security Group, expressed concern that the vetting could lead to accusations of “controlling the net” and a two-tiered web.

“Could we end up with a two-tier e-commerce market, where only big players can afford to be in the ‘trusted’ domain, and small retailers being ‘elbowed out of the digital high-street?'” he said.

The launch of .trust forms part of a wider initiative by one of the biggest overseers of the web, the Internet Corporation of Assigned Names and Numbers (ICANN), to roll out many of these global top level domains (gTLDs). It has sold off a bunch of them over the last year for huge sums of money, so we can expect websites like Amazon.shop or Google.cloud to appear soon. That process has also been criticised for charging huge sums: $185,000 for the application alone and then $25,000 a year, which NCC has had to pay too.

There are other valid concerns around .trust. In a world where even the biggest companies with sizeable coffers can be breached—eBay and Target to name two obvious examples—how can anyone guarantee security? Why should users trust .trust sites over others when everyone is hackable?

Troy Hunt, web security expert, said the whole idea sounded “very flaky.” Hunt is dubious of any security seal. Sites that have stamps of approval, such as the Norton Secured Seal tag seen on many of the world’s webpages, have been proven to be insecure in the past, Hunt added.

“I’m sure this sounded awesome in a boardroom meeting, but it seems like just marketing speak,” he said. “If I was a consumer, I’d go to the site I needed the service from, hopefully see SSL [web encryption] and that’s about it. I’m not going to be actively seeking out .trust TLDs.”

But NCC believes .trust's processes genuinely will create safer websites by enforcing security rather than just slapping a certificate on websites and leaving them alone. In fact, it believes it is going to change the world.

“We are setting out to do something fairly fundamental—we're going to change the internet for good,” says Cotton. He claims most security protocols and certificates currently in use are either “broken or unenforced” and this project will help fix that.

Anyone hoping to get the .trust global top level domain (gTLD) will have to go through an initiation. It will include physical visits to prove the applicant is who they say they are, a scan of their websites to uncover any vulnerabilities and an enforcement of a set of policies drawn up by NCC.

These policies were drawn up by 30 of the world’s most-loved internet businesses, including bigwigs from the biggest social networks and search companies around, says Cotton. “You can guess which ones,” he adds, trying to be secretive about those involved for some unknown reason. These rules will require members of the secure society to regularly patch systems and carry out their own audits.

Once accepted into the community, they will have their systems regularly scanned. If something is wrong, they will be alerted via an NCC-created software interface. They will also have an NCC security professional come and manually test their systems once a year. There will be 24/7 support from 50 NCC employees for members who need assistance too. This won’t guarantee 100 percent security, says Cotton, but it will ensure .trust websites are more secure than others.

As a security service, this is all very admirable. It appears .trust will genuinely enforce good security on internet businesses, more than most other accreditation schemes have done before. For the average Joe shopping with big name businesses, this is good news. Still, the model is worthy of a raised eyebrow, and should it take off, it could further separate young, lean startups from the behemoths of the web.

Cotton is keeping mum about who will actually own .trust domains, apart from NCC Group itself. We’ll find out from October this year when NCC launches its site, with 21 members expected to join by May 2015.