Security by using .net instead of .com



  • So we have a sales person doing training onsite today. During the training someone noticed that the website they were told to go to http://www.paycomonline.com redirects the logon to https://www.paycomonline.net. The sales person said this is for security reasons.

    I can think of NO security improvements by redirecting users to a .net domain over a .com domain. Furthermore, if anything it leads to the possibility of site jacking. If that same user ends up at paycomonline.uk they will probably just think that the vendor has moved sites again for security and trod along entering their information.

    Furthermore, the instructions specifically say to go to the .com site, yet the trainer is suggesting that users bookmark the logon page which is a .net site (FYI, the .net site homepage is identical to the .com site, so using that as a landing page would work fine).

    Now I understand why they have the .com, everyone in the US goes to website.com first. It's the natural thing to do. But I'm confused why they put their logon page on the .net side of the house?

    Thoughts?



  • That's what happens when you have sales people doing training 🙂



  • Not for security reasons, I'd be afraid of any company that things this! Security through idiocy is not a thing.



  • You are correct, this actually is a security problem rather than a security feature. It makes people unable to identify the real address. It looks like every transaction is a hijack. When everything is a hijack, nothing is. Basically, the site is crying wolf every time.



  • Part of my thinks either this person made this up, their manager made this answer up, or the companies IT team figure few would understand the reality, so they gave them a quick simple answer that when most people hear it just gloss over and assume is correct and the conversation moves on.

    Of course, it's only people like us that challenge this.

    I've asked to be shown the companies reasoning/explanation on this changing TLD is more secure.



  • They have a weird "moves around" website. Uncomfortable to use.



  • @scottalanmiller said:

    Basically, the site is crying wolf every time.

    There are no errors, etc. Just the user noticing the change.



  • @Dashrender said:

    There are no errors, etc. Just the user noticing the change.

    Exactly. You train users to look for these kinds of things to know when they are being hijacked. It's a red flag. This trains them to ignore common security training and just accept dangerous things.



  • Wow...just wow.

    I don't like sales people much.

    And where do I have to click to get the redirect?



  • If you click on Employee (and probably Customer) on the left, you'll be redirected to the .net site with the logon page.



  • Yeah, I agree with you @Dashrender and @scottalanmiller



  • @Dashrender Got it. I have actually seen that a lot. They don't call it security per say, they usually justify the .net as the SSL site and the .com is the public facing site. Some think its security by obscurity (or is that absurdity?), others just want to keep things separate.

    Although SSL on the whole site used to be something everyone avoided, Google has now suggested that all sites use SSL.



  • @technobabble said:

    Although SSL on the whole site used to be something everyone avoided, Google has now suggested that all sites use SSL.

    Everyone has been suggesting that now. For a while. To the point where even normal sites with no reason to need security are now recommended to start moving to full SSL. That's why the EFF is working on a free SSL cert authority to make that possible for everyone.



  • The reason you want anyone and everyone on the web to have an SSL to to prevent injection attacks, and hopefully some government snooping!



  • You don't care much about either of those things most of the time though. Banking, sure. Facebook, of course. Shopping, obviously. But just reading random news or whatever, the things that most of us do most of the time, it doesn't matter so much. If someone injection attacks me while browsing 9Gag or the government knows that I am reading about funny cat memes, doesn't concern too many people.



  • If there's no authentication, I suppose - but so many of those site do have authentication now days.

    And why would you not care about injection attacks (drive by downloads) ?



  • @Dashrender said:

    And why would you not care about injection attacks (drive by downloads) ?

    Downloads of what? And are we really worried about people attacking from inside the ISP?



  • A sales person being wrong about something technical. I've never seen that before 😉


Log in to reply