Not really operational content, but I was wondering if there was an intellectual property issue with the Verisign .com/.net redirect? For instance, <http://searchthewebwithgoogle.com/> brings you to a Verisign search engine. Or, even better, <http://getyourdomainnameatregister.com/> will bring you to a Verisign website. -- /ak
Alex Kamantauskas wrote:
Not really operational content, but I was wondering if there was an intellectual property issue with the Verisign .com/.net redirect?
Not sure about IP, but there are privacy issues. Verisign has intentionally redirected all email that was mistyped on the recipient to their server. Instead of immediately rejecting and terminating the connection, they allow the send to issue 3 commands, which would typically give them the sender and rcpt information where previously the information would not leave the originating mail server. How could this be construed as anything but address harvesting and a breach of privacy? In addition, at no point has Verisign obtained permission to steal information in this way. They are eavesdropping! Every time I've checked, port 80 was down on the destination IP, but 25 was running full speed. It makes me wonder if their real intent wasn't to collect that information to begin with. -Jack
On Wed, 17 Sep 2003, Jack Bates wrote:
Not sure about IP, but there are privacy issues. Verisign has intentionally redirected all email that was mistyped on the recipient to their server. Instead of immediately rejecting and terminating the connection, they allow the send to issue 3 commands, which would typically give them the sender and rcpt information where previously the information would not leave the originating mail server. How could this be construed as anything but address harvesting and a breach of privacy?
In addition, at no point has Verisign obtained permission to steal information in this way. They are eavesdropping! Every time I've checked, port 80 was down on the destination IP, but 25 was running full speed. It makes me wonder if their real intent wasn't to collect that information to begin with.
Regardless of Verisign's intent, there are definite privacy concerns here. Verisign is now able to obtain all URL information from a browsing session in which the domain name is mistyped (and the domain doesn't exist.) This is of secondary concern to the NANOG list, which has been preoccupied with the numerous technical and political problems this change poses, but is nonetheless very serious. Whereas ISP-provided search pages, such as AOL's, or local browser search pages, such as IE's will be presented under identical circumstances (the user mistypes a domain name), they don't have the same privacy problems associated with them. As Microsoft's features are client-side, no user information is leaked without the user's knowledge. And as the user is already entrusting AOL, as her ISP, with her privacy, the problem is moot there as well. Prior to this change, users never had to consider that Verisign might be obtaining and recording their URL requests. The email problem has been discussed here a bit more than the URL requesting issue, and is troublesome in a number of other ways. The potential for spam, the lack of clear reporting of a typo failure, and the potential for privacy violations via the harvesting of email addresses, and email address sender/recipient correlation are of concern. Anonymizer has modified our name servers to correctly report unregistered domains as such. Users of our anonymous web browsing proxy service are protected from the web privacy problems created by Verisign's change; users of our SSH tunneling service are protected from both the web and email privacy problems. We hope that Verisign will reconsider their actions. In the mean time, we'll be doing everything we can to mitigate the risks to our users. --Len.
On Wed, 17 Sep 2003 19:39 (UTC) Len Sassaman <rabbi@quickie.net> wrote: | As Microsoft's features are client-side, no user information | is leaked without the user's knowledge. Do you have any form of evidence to support that proposition? s/is/should be/ and I might have been with you ... ;-) | We hope that Verisign will reconsider their actions. In the mean time, | we'll be doing everything we can to mitigate the risks to our users. As will we. -- Richard Cox RC1500-RIPE
On Wed, 17 Sep 2003, Richard Cox wrote:
Do you have any form of evidence to support that proposition?
s/is/should be/ and I might have been with you ... ;-)
Well, things may have changed since I looked at it, but I recall that not too long ago, a mistyped domain name resulted in a local page being displayed, which offered to let the user connect to MSN's search site. Are users now redirected to Microsoft automatically?
On Wed, 17 Sep 2003, Len Sassaman wrote:
Are users now redirected to Microsoft automatically?
I just checked this again, and in fact I was incorrect -- the requested URL is passed to search.msn.com. That's unfortunate. (Our proxies return their own "site not found" page, so our users won't encounter the MSN when using our system. It is still a privacy concern for general users, for the some of the same reasons as I stated regarding Verisign. At least it doesn't appear to have the same XSS issues that Verisign does, though.)
On Wed, 17 Sep 2003, Alex Kamantauskas wrote:
Not really operational content, but I was wondering if there was an intellectual property issue with the Verisign .com/.net redirect?
For instance, <http://searchthewebwithgoogle.com/> brings you to a Verisign search engine.
Or, even better, <http://getyourdomainnameatregister.com/> will bring you to a Verisign website.
This is the best point of attack I believe. A quick review of the WIPO domain decision archive: http://listbox.wipo.int/domain-updates shows that domains registered in bad faith, for example wwwcdw.com, are usually ruled against. If the individual domain holders take issue with their own domains, both through WIPO, and what I feel will ultimately need to happen for this madness to stop, the courts, then Verisign can be stopped. Millions of domains registed in bad faith. http://wwwford.net/ http://worldnetatt.net http://wwwlightreading.net http://wwwcnn.net andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
participants (5)
-
Alex Kamantauskas
-
Andy Walden
-
Jack Bates
-
Len Sassaman
-
Richard Cox