On Wed, 17 Sep 2003, Jack Bates wrote:
Not sure about IP, but there are privacy issues. Verisign has intentionally redirected all email that was mistyped on the recipient to their server. Instead of immediately rejecting and terminating the connection, they allow the send to issue 3 commands, which would typically give them the sender and rcpt information where previously the information would not leave the originating mail server. How could this be construed as anything but address harvesting and a breach of privacy?
In addition, at no point has Verisign obtained permission to steal information in this way. They are eavesdropping! Every time I've checked, port 80 was down on the destination IP, but 25 was running full speed. It makes me wonder if their real intent wasn't to collect that information to begin with.
Regardless of Verisign's intent, there are definite privacy concerns here. Verisign is now able to obtain all URL information from a browsing session in which the domain name is mistyped (and the domain doesn't exist.) This is of secondary concern to the NANOG list, which has been preoccupied with the numerous technical and political problems this change poses, but is nonetheless very serious. Whereas ISP-provided search pages, such as AOL's, or local browser search pages, such as IE's will be presented under identical circumstances (the user mistypes a domain name), they don't have the same privacy problems associated with them. As Microsoft's features are client-side, no user information is leaked without the user's knowledge. And as the user is already entrusting AOL, as her ISP, with her privacy, the problem is moot there as well. Prior to this change, users never had to consider that Verisign might be obtaining and recording their URL requests. The email problem has been discussed here a bit more than the URL requesting issue, and is troublesome in a number of other ways. The potential for spam, the lack of clear reporting of a typo failure, and the potential for privacy violations via the harvesting of email addresses, and email address sender/recipient correlation are of concern. Anonymizer has modified our name servers to correctly report unregistered domains as such. Users of our anonymous web browsing proxy service are protected from the web privacy problems created by Verisign's change; users of our SSH tunneling service are protected from both the web and email privacy problems. We hope that Verisign will reconsider their actions. In the mean time, we'll be doing everything we can to mitigate the risks to our users. --Len.