-2

What top-level domains (TLD) are safe and would be safe for example to whitelist?

I guess .gov and .mil are safe? While .com, .net and .org are not since anyone can register those.

Is .int safe? And is this TLD actually used?

I know there were some .edu domains registered before the sharpened rules introduced in 2001. But are there many domains or just a handful? Is this TLD to be considered safe?

Would /\.(edu|gov|mil)\.[a-z]{2}$/ be considered safe? (.edu, .gov and .mil under all two-letter TLDs)

Are .aero, .museum and .post to be considered safe for whitelisting?

Fred
  • 97
  • 4
    What do you mean by safe? It's possible to compromise any public web server, so if you're just blindly trusting them you'll end up in worse shape than if you just implement proper security without whitelisting. – user May 04 '22 at 18:27
  • 2
    Safe to whitelist for what?.. – Sir Muffington May 04 '22 at 18:52
  • Are you talking about E-mail? – Kate May 04 '22 at 18:52
  • @SirMuffington, maybe like for letting users on a website posts links on a forum. Maybe add to adblocker or NoScript (for whitelisted JavaScript), or maybe to school/library/company firewall for allowed websites to visit. – Fred May 04 '22 at 19:03
  • @Kate No, not specifically. Maybe for a forum where users can post links, or a redirector page that says "you're about to leave this website, are you sure you want to continue?" (like YouTube have when anyone post a URL in the comments). Could be for email too, I guess. – Fred May 04 '22 at 19:05
  • 1
    @Fred: Domain name does not guarantee any security. Some attacker can use namely because some people (like you) would assume that domain name is "safe". The question is very **opinion based**. That's why I suggest to **close** it. – mentallurg May 04 '22 at 19:19
  • @mentallurg I think probably someone is not likely to get malware if they visit a `.gov` or `.mil` website. – Fred May 04 '22 at 19:45
  • @Fred "I think probably someone is not likely to get malware if they visit a .gov or .mil website." Why? This makes no sense. You conflate some arbitrary consequence you decide (the TLD can not be used by random dudes, so it should be safe) with the security of a given server. You think `.gov` or `.mil` servers are never hacked? Not hearing about it does not mean it doesn't exist, and just because of the domain name they use do not make their servers more secure or immune to anything.Plus you seem to entertain the confusion between `.gov` and `.gov.XX` which are two completely different things – Patrick Mevzek May 04 '22 at 20:54
  • @Fred: There can be a lot of companies who act in the name of the government. They can have further subcontractor companies. These can have contractor employees, that are not screen thoroughly because doing their jobs they cannot cause much harm. Not everything what the goverment does requires the highest security. For instance, there can be some web site intended to aid homeless dogs. Its administrator can misuse this web site. If you put ".gov" to a white list and will use not the same rules as for others domains, you will open your service for attacks. – mentallurg May 04 '22 at 21:23

1 Answers1

2

Your definition of safe seems to be "not everyone can register those", which is quite strange.

What does this protect you against exactly, and where do you plan to do this filtering?

In its tightest sense, in almost all TLDs, "anyone" can register domains. Sometimes the "anyone" is restricted or has to pay special price, but for a specialized attacker these would be low barriers if someone wants to try to circumvent your filter.

Also your regexp then makes no sense as suddenly what were TLD before are now 2nd level domains/labels? You would need to fix your question to remove ambiguity on what you are really trying to achieve here. Filtering TLDs? Filtering domains based on some specific structure (3rd level domains) and specific patterns in the 2nd level domain? Etc.

And [a-z]{2} is wrong for a TLD pattern. First only ccTLDs are 2 characters as TLD, all others (gTLDs) are more. Also didn't you hear about IDNs to start with? Or the fact that the TLD is a domain and is governed at the registration layer by LDH rules so at least hyphens and digits are needed to be accepted, and will be needed for IDNs. But even outside of that, with /\.(edu|gov|mil)\.[a-z]{2}$/ you immediately trust any country in the world (at lest those having decided to use this way of managing their TLD) to attach the same meaning of edu, gov or mil as the meaning you seem to attach to it, and the same level of control/verification that you seem to intend. Can you vouch for that for any country in the world? (at the very least, this should show you that trying to use a regexp to validate things like "can everyone register those domains" will never work)

As for:

I know there were some .edu domains registered before the sharpened rules introduced in 2001. But are there many domains or just a handful? Is this TLD to be considered safe?

Do you mean now that your definition of safe is not binary anymore but like a percentage based on how many such "domains" (and how will you count them anyway?) exist in the TLD (and domains come and go anyway).

Are .aero, .museum and .post to be considered safe for whitelisting?

Did you ever see any .aero or .post domain being used anywhere lately? And .museum slightly only better.

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23
  • I worked for a `.aero` company that was an aerospace manufacturer. – schroeder May 04 '22 at 20:12
  • 1
    On a website where users can write posts containing hyperlinks. The `{2}` in the regex was intended to limit it to only ccTLDs as I did not want it to match domains such as `edu.xxx`, `mil.xyz` or `gov.cool`. I don't know how widely used the aero, post and museum TLDs are, or who can obtain them. – Fred May 04 '22 at 20:37
  • @schroeder I did not say they do not exist, some airport do have them and communicate with them, but where/when do you have seen one in the wild recently, that is more difficult. – Patrick Mevzek May 04 '22 at 20:51
  • @Fred "The {2} in the regex was intended to limit it to only ccTLDs" sorry but this makes no sense. Based on your definition of "safe" (which I don't agree with), `google` should be a safe TLD since, obviously, only Google can register domains in that TLD and not some random dude. Same for all other brand gTLDs coming out of the ICANN 2012 round of TLDs... You are trying to achieve a non technical problem by a technical solution, and this rarely gives the expected outcome. – Patrick Mevzek May 04 '22 at 20:52
  • @Fred "On a website where users can write posts containing hyperlinks. " and how do you cater for redirections? If I post a link to a fictionial `hyperlinks.gov` website that is in fact a redirection to `i-am-not-safe.com` website, how will you catch that? Will you also follow all links given and check the content behind them? Redirections and content being free to change even mere seconds after your checks.... – Patrick Mevzek May 04 '22 at 21:13
  • @PatrickMevzek Yeah, I would consider anything under the `.google` TLD safer than some random `.biz`, `.cn`, `.tk` or `.xyz` domain. – Fred May 05 '22 at 19:06