DEV Community

Vijay Koushik, S. 👨🏽‍💻
Vijay Koushik, S. 👨🏽‍💻

Posted on • Originally published at on

Generic top level domains and security

  Note to Readers: This article was written as early as May 2017. I couldn't find time to publish it early. Please keep in mind that this is based on an event that occured on 20 Feb 2017.

Though we cursed the changes in policies relating to savings bank accounts, India's biggest public sector bank State Bank Of India has given its website a new avatar to protect its customers from phishing scams.

Yes, I'm talking about the recent news about SBI rebranding its website with its own highest domain protocol known as the generic Top Level Domain (gTLD) to from SBI is the first banking company to have its own gTLD.

What is a gTLD? and What does it have to do with protection against phishing? Well, a gTLD is the last label of a fully qualified domain name. A fully qualified domain name is the complete address of a website like or The labels .com and .org are the top level domains. These top level domains are called generic for historic reasons to differentiate different domains that existed during the development of internet. But hold on a second! If they are called top level domains then why are they at the last? The reason is, the Domain Name System or DNS in short, the directory service responsible for identifying the correct website corresponding to a particular domain name organises the domain names from right to left in a hierarchical order. Thus the label in the far right goes in the top of the hierarchy and the label in the far left goes in the bottom of the hierarchy.

Illustration of DNS hierarchyIllustration of DNS hierarchy with gTLDs

The gTlDs were created to represent a particular purpose, like com for commercial entities, net for network infrastructures and edu for educational use. But, because of the lack of restriction the entities com, net and org are now open to use for any purpose despite their original specific goals and hence these TLDs are designated as unrestricted. There are other TLDs like biz, name and pro are considered generic but are designated as restricted because registrations with them require proof of eligibility.

The sbi TLD is also designated as restricted. Meaning no other individual or organization is allowed to register under the sbi domain. So, how does this secure us, the customers from phishing scams? To know this, I'll tell you about phishing first. according to Wikipedia:

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.The traditional phishing involves the scammer sending an email informing that the user has won a $10 billion in a lottery that the user never even heard of and requesting the user to send a stipulated amount to a particular account as processing fee to avail the prize money which the user never receives if he/she transfers the said processing fee. This being said the scammers lure internet users with a fake mail that is disguised as an official mail from the bank asking the credentials of the users for security purposes or any other purpose that convinces the user to click on the links in the mail. When clicked these links open a fraudent website that is designed exactly like the banks website. These fraudent sites capture user credentials when submitted and save them in the scammer's computer which he/she uses it to steal the user's money.

The first scam can be averted by adding the sender's mail address to the spam list of the user's email service provider (Even though email service providers like Google and yahoo provide automatic spamming features some spam mail's escape their spam filters). and the second can be fended off by verifying whether the sender's mail address is the bank's official address (the sender's address might have the wrong spelling). and by checking the addresses on the address bar of the browser and verify if it is the bank's official website (check for wrong spelling). Another possible method to check a suspicious website is to willingly provide wrong credentials. If the site does not respond an error then it is a fraudent site.

Since the gTLD sbi is restricted only to sbi, one can easily differentiate between fraudent and the original websites and e-mails because the official email addresses and website will end with .sbi. So far only the bank's website has this new gTLD and the bank's officials have announced that other businesses of SBI like insurance will get their own gTLD. The officials also said that the bank's previous web address continue to exist as long as the customers get accustomed to the new web address

FYI on gTLDs

Mainly for commercial entities, but unrestricted
Originally for organizations not clearly falling within the other gTLDs, now unrestricted
Educational use, but now primarily for US third level colleges and universities
Governmental use, but now primarily for US governmental entities and agencies
Military use, but now primarily for US military only

Complete list of gTLDs from Wikipedia.


Address bar
A text box in a web browser displaying the address of the web page that is currently being viewed.
Email Service Provider
a company that offers email services.
Domain Name System
Generic Top Level Domain
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
irrelevant or unsolicited messages sent over the Internet, typically to a large number of users, for the purposes of advertising, phishing, spreading malware, etc.
Website address or Web address
an Internet or intranet name that points to to a location where a file, directory or website page is hosted.

A random quote

Let us not look back in anger or forward in fear, but around in awareness.-James Thurber

Illustration by

Top comments (0)