Verisign Didn't Deserve This Spanking


By Alex Salkever When Web surfers type an Internet address that either doesn't exist or isn't spelled correctly, they get an error message telling them no such site exists. If the mistaken address falls into the .com or .net top-level domains, that error message comes from Verisign (VRSN), the company that has an exclusive contract to maintain the records of who owns what in those two, most-popular, Web-address domains. So, if no one has purchased, say, the name www.bozoclowns.com and put up a site using it, then the task of telling the rest of the Net that nothing exists there falls to Verisign.

That's something only Verisign could do for .net or .com mistakes because it's the one with the big database of registered names. According to Verisign, this type of miscue happens 20 million times per day.

On Sept. 15, Verisign unveiled a way for it to make money from these mistakes. It started directing surfers to Site Finder, a Verisign-operated search engine. The page contained a search box and a "Did You Mean?" list containing similar domain names to the one typed in incorrectly. And Verisign started selling advertisements and paid search listings from Yahoo! (YHOO) subsidiary Overture on Site Finder. Overnight, Verisign morphed from a nonplayer into a significant search-engine force with traffic in the tens of millions of users.

LEGAL THREATS. Of course, not everyone thought this was a brilliant idea. Network administrators howled that Verisign's new policy would ruin spam detection and make it harder to use some network-management utilities. Some of these folks relied on error messages emanating from bogus domains to screen out spam that uses spoofed e-mail addresses from nonexistent domain names.

A loud chorus of critics said Verisign was using its monopoly registrar power over .net and .com in a fashion not permitted by the contract it had received to maintain these databases. The International Corporation for Assigned Names & Numbers (ICANN), the world's top regulatory body governing Net affairs and the organ that awarded Verisign the contract, threatened fines and legal action if Verisign didn't cease and desist. The practice, ICANN claimed, had damaged the Net's overall stability and was in violation of neutrality clauses in Verisign's contract to operate the .net and .com master address lists.

Verisign bitterly rejected ICANN's claims, saying Site Finder benefited customers. However, facing mounting pressure from the Internet community, on Oct. 2 Verisign backed down and agreed to stop redirecting errant address requests to Site Finder. "ICANN shouldn't be micromanaging these new services," said Verisign Executive Vice-President Russell Lewis at a press conference it held to address the issue on Oct. 6.

BACKLASH. Over the years, Verisign has become something of a punching bag for critics and deservedly so. In 2000 and 2001, its reputation suffered after a spate of high-profile domain-name "hijackings," where impostors easily convinced personnel at Verisign subsidiary Network Solutions to transfer control of valuable domain names to them.

Competing domain-name registrars sued Verisign in 2002 for allegedly attempting to dupe domain-name owners with a direct-mail campaign urging them to renew their domain-name registration. They claimed that Verisign used bogus expiration dates in the renewal notices and also didn't clearly inform customers they would be switching from other registrars, such as Register.com, to Verisign.

In the current case of the redirected error messages, however, Verisign has gotten something of a bum rap. Part of the backlash undoubtedly comes as a reaction to Verisign's position as one of the Net's most powerful forces. Aside from controlling the database that records all domain names for .com and .net., it's also the largest domain-name registrar with over 27 million names under management. And Verisign operates 2 of the 13 domain-name system (DNS) root servers that are essential to the Internet's operation. These servers direct traffic on the Web by making sure that if a someone types in, say, www.gap.com, their browser will go to Gap's official Web site.

LIGHTNING ROD. Verisign is also the dominant digital-certificate-issuing authority with more than 373,000 handed out to date. Verisign grants these certificates to e-commerce sites and other Web organizations that need to conduct secure commerce and need to use digital signatures in the certificates to authenticate transactions and encrypt data traffic. The certificates function as a digital seal of approval and proof that sites are who they say they are. So, it's easy to see why Verisign is a lightning rod for criticism when it does anything even remotely controversial.

In the case of the missing error messages, though, Verisign's critics are only half right for several reasons. First is the issue of whether Verisign should be allowed to redirect errant address queries and exercise an unfair advantage in doing so. Numerous other companies practice similar tactics by registering one-character-off domain names in hopes of snagging surfers who mistype a Web address.

When Web surfers mistype addresses in Internet Explorer browsers, Microsoft (MSFT) directs them to an MSN search page with click-throughs to services offered by MSN partners. Yet ICANN hasn't told any of these outfits to buzz off.

Second, as for violating the stipulated neutrality of the contract ICANN awarded to Verisign, that claim seems off-base. Yes, Verisign might be able to profit from its tactic. But it wasn't taking business away from anyone -- these are unused Web-site addresses, after all.

Third, regarding anti-spam software that relies on the error messages sent out by Verisign in response to mistyped Web addresses, this is at best a blunt-edged instrument to filter out unwanted e-mail. Mail administrators built automated filters that checked the domain name of incoming mail by sending a message to that domain. If a Verisign error message came back in response, then the administrators figured the original message was probably spam.

A BETTER TOOL. But any spammers worth their salt today uses legitimate domain names, such as aol.com or yahoo.com or even businessweek.com (believe me, I get a lot of spam from our own domain), as part of their random e-mail missives. Why? Because that type of spam is harder to sift from normal messages. In this case, by using a spoofed address attached to a valid domain name, spammers can easily circumvent such crude filters.

Further, relying on error messages is a poor substitute for so-called SMTP authentication, a process that allows a mail server receiving an e-mail to query back the sending mail server directly and ask, "Hey, is this message from a known account on your system?" If the answer comes back "no," then the message is clearly spam and should be deleted. Mail administrators have yet to widely adopt this tactic, though an increasing number are doing so. Yahoo started using SMTP authentication several years ago in part to cut down on spam coming from addresses ending in yahoo.com.

Is Verisign lilly-white in all this? Hardly. Directing traffic to Site Finder may help the customers find what they're looking for, but first and foremost it helped Verisign. The Overture search engine by design gives preference to Web listings of companies that pay to advertise with the service. That has raised the ire of consumer groups who claim that Overture returns tainted results.

MISSING MESSAGES. Verisign also should have consulted with the Internet community at large before exercising its monopoly power to alter the basic workings of the Web. Certainly, the Internet remains a communitarian venture, and Verisign has run roughshod over that ethos.

Finally, it's most unfortunate that Verisign's Site Finder impedes basic software used to manage many types of networks. Tools such as "ping" and "traceroute," which are used to track data moving across a network, rely on specific error messages. When Verisign redirected all errant traffic to Site Finder, those error messages disappeared, rendering the network-management tools far less useful. This was the most troubling side affect of Verisign's unilateral move and perhaps the best reason for stopping any type of redirection until everyone gets a chance to adjust to the change.

However, punishing Verisign for breaking anti-spam systems that rely on weak technology makes no sense. Nor does punishing it for redirecting traffic when others do basically the same thing and get away with it. Foolish consistency may be the hobgoblin of little minds, but it's important in clarifying matters in this instance. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column


Coke's Big Fat Problem
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus