Security concerns shroud VeriSign service

Critics of VeriSign's Site Finder have claimed that the service caused problems with the way some e-mail and other web...

Critics of VeriSign's Site Finder have claimed that the service caused problems with the way some e-mail and other web applications function, and collected more information about web surfers than some other services designed to redirect mistyped URLs.

Those raising objections to Site Finder at a meeting of the Internet Corporation for Assigned Names and Numbers' (Icann) Security and Stability Advisory Committee, raised several technical concerns about the service, including it not working with some internet protocols, including HTTPS (Hypertext Transfer Protocol-Secure), which indicates that a site uses SSL (Secure Sockets Layer), and FTP (File Transfer Protocol).

Site Finder, which was launched last month and shut down last weekend at Icann's request, redirected internet users who mistyped a URL to a search page that suggested possible matches for the mistyped websites. Before Site Finder, web users would get an error message or a similar search page from suppliers such as Microsoft's MSN.

Site Finder centralised the URL search function in the .com and .net domains into VeriSign's servers instead of the largely decentralised approach, said David Schairer, vice president of software engineering of ISP XO Communications.

"The Site Finder has made itself a prestige target," Schairer said. "It's very likely to be attacked, and we need to understand clearly what will occur if that happens."

But VeriSign has a "proven track record" of security, claimed Scott Hollenbeck, director of technology for the company. "As an example, I offer up the 100% up time that we've demonstrated on the .com and .net name servers over the past six years. We probably invest more in that infrastructure than any other registry operator."

VeriSign's launch of the service sparked a flurry of criticism that the company was trying to use its control of the .com and .net domains to dominate the web search market. The launch of Site Finder also caused problems for some e-mail programmes and SMTP servers, as the applications or servers did not receive traditional error messages.

An extra step that e-mail servers would have to take to confirm non-existent domains would use more server resources and cause delays in response times to users, Schairer said, adding that if continued, Site Finder would drive up the support costs of suppliers for those applications.

But VeriSign officials said would include an addition to Site Finder that will resolve most e-mail issues, claiming that they are monitoring critiques from the technical community and have launched a technical review panel that includes company outsiders to address concerns being raised about the service.

VeriSign also questioned Schairer's observations about the effects of Site Finder, saying he should provide them with harder statistics on the problems.

When asked why VeriSign did not alert Icann and internet standards bodies more than a few days before it launched Site Finder, Chuck Gomes, vice president of the VeriSign Com Net Registry, said the company was unsure how to describe its plans to launch the new service without exposing trade secrets to potential competitors.

"We did extensive testing ... but we want to work with the community to develop best practices for this in the future," Gomes added.

Another critic raised concerns about the way ISPs and programmers were creating workarounds to the Site Finder service. Some ISPs launched their own search services with the attitude of "VeriSign did it, why can't we?", said Paul Vixie, president of the Internet Software Consortium.

The result of the launch of Site Finder was a spike in visitors to VeriSign's own website and a drop in visitors to MSN's search page, Vixie said.

Some ISPs launched their own web search pages, complete with advertising, and redirected mistyped URLs from their users. "This is going down the slippery slope toward instability," Vixie added. "The total result of this is growing [domain name server] incoherence ... and that's not a direction I'd like to see us go in."

Boston privacy consultant Richard Smith raised privacy concerns about Site Finder. He claimed the service had collected the full mistyped URLs and VeriSign shared the information with a marketing research company.

In the case of misdirected e-mail, Site Finder collected both the sending and receiving e-mail addresses, Smith said, and Site Finder could have collected the text of those e-mail messages if VeriSign had wanted to.

If an internet user had bookmarked a web form URL that no longer existed, Site Finder could capture all the information in the Web form, such as names, addresses and credit card numbers, before telling the user the page no longer exists, Smith added.

Hollenbeck said, "I can emphatically say that VeriSign is not collecting or retaining any data."

VeriSign could accomplish the goal of giving internet users more meaningful error messages when they mistype a URL without a service that dominates all .com and .net URLs, Smith added. "Why not have Site Finder as a little applet that runs in web browsers that provides a service to users who want it?" he asked.

Schairer also disputed VeriSign's claims that Site Finder was having a small effect on a handful of spam-blocking programs. While VeriSign officials said only 3% of spam was sent using nonexistent domain names, Schairer said XO's internal checks found that number was closer to 20%, and Site Finder complicated attempts to check for existing domain names.

VeriSign officials said only a small number of spam-blocking programs checked if the spam was coming from an existing domain name, but Schairer said Site Finder would increase the amount of spam web users receive because some spam filters would not recognise bogus domains.

Icann committee member Ken Silva, vice president of networks and security at VeriSign, questioned if some of Schairer's concerns with Site Finder related to the security and stability focus of the Icann meeting. "Is a 10% increase in spam a stability or security issue?" Silva asked. "Or is it an inconvenience to a small number of users?"

Grant Gross writes for IDG News Service

Read more on E-commerce technology