Steve, et al: There may be issues of collateral damage. While Microsoft and Verisign battle one another for the advertising revenue available from intercepting typographical errors, innocent third parties may have to repeatedly pay to modify their software. The Verisign interception mechanism is being inserted into the core infrastructure of the Internet, DNS. While their intent is to capture eyeballs from Web URL typos, they inadvertently capture all DNS typos. Thus, all protocols and services are affected. Other protocols and services must analyze their own software to see how it reacts to the new behavior of the DNS system. Adversely affected protocols and services will have to make changes to detect the Verisign scheme and compensate for it. This will cost money. There will be software development costs, as well as costs related to customer support (new documentation, calls to tech support, etc.) While the Microsoft eyeball-capture scheme affected only MS IE users, the Verisign scheme affects everyone. When the behavior of the DNS changes, software and user behavior will also require modification. It has been suggested that the typo-eyeball capture revenue is quite large. If Verisign is successful in obtaining this revenue, it will be at the expense of Microsoft. Microsoft's revenue will decrease. Microsoft is likely to respond. They may change the operation of Internet Explorer to detect the Verisign system and to bypass it. Perhaps they will bundle the fix into one of the recommended IE patches. This will return the typo-eyeballs to Microsoft and recapture the revenue. Verisign will then suffer a downturn in revenue, and will likely try to respond. To the extent that it is technologically feasible, they may make changes to their typo-eyeball capture mechanism to once again reclaim the eyeballs, and the revenue. Given the estimates of the size of the "purse", they will likely try very hard to maintain the revenue stream. While Microsoft's changes affect only IE, which is end-system software, Verisign's changes will affect part of the core infrastructure of the Internet. When Verisign launches its counter-measure, it will be intended to circumvent the detection mechanisms added to IE. Sadly, it will likely also circumvent the detection mechanisms added to third party protocols and services. While the fight is between Microsoft and Verisign for the revenue from capturing typo-eyeballs, every time Verisign launches a new counter-measure, every protocol and service will have to analyze the change and take appropriate action. The typo-eyeball revenue estimates are substantial. It is unlikely that either direct combatant will concede defeat. Thus, there will be perpetual damage to innocent third parties. Bob Enger ----- Original Message ----- From: "Steven M. Bellovin" <smb@research.att.com> To: <nanog@merit.org> Sent: Wednesday, October 08, 2003 3:54 PM Subject: Re: News coverage, Verisign etc.
In these days of corporate malfeasance scandal coverage, you'd think that Verisign's tactics would have whetted the appetite of some bright investigative reporter for one of the major publications.
For all that I'm critical of wildcards in TLDs -- I spoke at the meeting yesterday, and my slides are on my Web page -- I don't think there are any issues of malfeasance. No one has been looting Verisign's coffers, they're not cooking the books, etc. I see three issues: is this technically wise, did Verisign have the right to do this under their current contract with ICANN, and should they have such a right. I don't see anything resembling dishonesty.
--Steve Bellovin, http://www.research.att.com/~smb