Critics raise security concerns about VeriSign service

VeriSign’s Site Finder service has caused problems with the way some e-mail and other Web applications function and collected more information about Web surfers than some other services designed to redirect mistyped URLs, critics of the new Web search site said Tuesday.

VeriSign’s  Site Finder service has caused problems with the way some e-mail and other Web applications function and collected more information about Web surfers than some other services designed to redirect mistyped URLs, critics of the new Web search site said Tuesday.

Those raising objections to Site Finder at a meeting of the Internet Corporation for Assigned Names and Numbers’ (ICANN) Security and Stability Advisory Committee in Washington, D.C., raised several technical concerns about the service, including it not working with some Internet protocols, including HTTPS, which indicates that a site uses Secure Sockets Layer, and FTP.

Site Finder, launched Sept. 15 and shut down this past weekend at the request of ICANN, redirected Internet users who mistyped a URL to a search page that suggested possible matches for the mistyped Web sites. Before Site Finder, Web users would get an error message or a similar search page from vendors such as Microsoft’s MSN.

Site Finder centralized the URL search function in the .com and .net domains into VeriSign’s servers instead of the largely decentralized approach, said David Schairer, vice president of software engineering of Reston, Va., ISP XO Communications. “The Site Finder has basically made itself a prestige target,” Schairer said. “It’s very likely to be attacked, and we need to understand clearly what will occur if that happens.”

But VeriSign has a “proven track record” of security, countered Scott Hollenbeck, director of technology for the company. “As an example, I offer up the 100% up time that we’ve demonstrated on the .com and .net name servers over the past six years,” he said. “We probably invest more in that infrastructure than any other registry operator.”

VeriSign’s launch of the service sparked a flurry of criticism that the company was trying to use its control of the .com and .net domains to dominate the Web search market. The launch of Site Finder also caused problems for some e-mail programs and SMTP servers, as the applications or servers didn’t receive traditional error messages, Schairer said. An extra step that e-mail servers would have to take to confirm nonexistent domains would use more server resources and cause delays in response times to users, he said.

If continued, Site Finder would drive up the support costs of vendors for those applications, he said, comparing this “tax” on vendors to a small version of the costs of fixing the Y2K bug.

But VeriSign officials said they plan to include an addition to Site Finder that will resolve most e-mail issues. They said they are monitoring critiques from the technical community and have launched a technical review panel that includes company outsiders to address concerns being raised about the service. They also questioned Schairer’s observations about the effects of Site Finder, saying he should provide them harder statistics on the problems.

Asked why VeriSign did not alert ICANN and Internet standards bodies more than a few days before it launched Site Finder, Chuck Gomes, vice president of the VeriSign Com Net Registry, said the company wasn’t sure how to describe its plans to launch the new service without exposing trade secrets to potential competitors.

“We want to be good citizens,” Gomes said. “We did extensive testing … but we want to work with the community to develop best practices for this in the future.”

Another critic raised concerns about the way ISPs and programmers were creating workarounds to the Site Finder service. Some ISPs launched their own search services with the attitude of “VeriSign did it, why can’t we?” said Paul Vixie, president of the Internet Software Consortium. The result of the launch of Site Finder was a spike in visitors to VeriSign’s own Web site and a drop in visitors to MSN’s search page, Vixie said.

Some ISPs launched their own Web search pages, complete with advertising, and redirected mistyped URLs from their users, Vixie said. “This is going down the slippery slope toward instability,” he added. “The total result of this is growing (domain name server) incoherence … and that’s not a direction I’d like to see us go in.”

On top of the technical and security concerns, the stated topic of the ICANN committee meeting, Boston privacy consultant Richard M. Smith raised privacy concerns about Site Finder. The service collected the full mistyped URLs, Smith said, and VeriSign shared the information with marketing research company Omniture Inc. In the case of misdirected e-mail, Site Finder collected both the sending and receiving e-mail addresses, Smith said, and Site Finder could have collected the text of those e-mail messages if VeriSign had wanted to.

If an Internet user had bookmarked a Web form URL that no longer existed, Site Finder could capture all the information in the Web form, such as names, addresses and credit card numbers, before telling the user the page no longer exists, Smith added.

VeriSign will not keep the data from users that Site Finder uses to point Internet users to existing Web sites, Hollenbeck said. “I can emphatically say that VeriSign is not collecting or retaining any data,” he said.

VeriSign could accomplish the goal of giving Internet users more meaningful error messages when they mistype a URL without a service that dominates all .com and .net URLs, Smith added. “Why not have Site Finder as a little applet that runs in Web browsers that provides a service to users who want it?” Smith said.

One audience member said Smith was bringing up privacy scenarios that would be rare, such as a Web form that has expired but was bookmarked by a user. When new applications or platforms are developed, they often cause legacy systems to break and prompt protests from some users, but that shouldn’t stop technological innovations, said Jonathan Zuck, president of the Association for Competitive Technology.

“I think VeriSign is trying to innovate on the platform and see what happens,” Zuck said in an interview. “(Site Finder) will result in a net improvement to the Internet.”

Schairer also disputed VeriSign’s claims that Site Finder was having a small effect on a handful of spam-blocking programs. While VeriSign officials said only 3 percent of spam was sent using nonexistent domain names, Schairer said XO’s internal checks found that number was closer to 20%, and Site Finder complicated attempts to check for existing domain names. VeriSign officials said only a small number of spam-blocking programs checked if the spam was coming from an existing domain name, but Schairer said Site Finder would increase the amount of spam Web users receive because some spam filters wouldn’t recognize bogus domains.

Critics also raised a number of concerns that did not appear to be directly related to technical or security issues, such as Site Finder returning an English-only page to non-English speakers and the size of the Web page that the service generates. XO’s Schairer said the Site Finder Web page is about 100 times the size of older redirect messages.

“Most of us have become jaded by our high-speed, always-on Internet connection, but there are a lot of people who are on pay-as-you-go (service),” Schairer said. “These people are getting roughly 100 times the amount of the traffic … because of the size of the redirect.”

But ICANN committee member Ken Silva, vice president of networks and security at VeriSign, questioned if some of Schairer’s concerns with Site Finder related to the security and stability focus of the ICANN meeting. “Is a 10 percent increase in spam a stability or security issue?” Silva asked. “Or is it an inconvenience to a small number of users?”