Committee Charges That VeriSign Weakens Web
By Matt Hicks
September 22, 2003

The Internet today is weaker than it was a week ago, according to an Internet advisory group.

The culprit is SiteFinder, VeriSign Inc.'s move to redirect mistyped and nonexistent domain names, said representatives of an Internet Corporation for Assigned Names and Numbers (ICANN) advisory committee on Monday. The group said VeriSign's service was undermining the stability of the Internet.

VeriSign's change appears to have considerably weakened the stability of the Internet, introduced ambiguous and inaccurate responses in the DNS (Domain Name System) and has caused an escalating chain reaction of measures and countermeasures that contribute to further instability, ICANN's Security and Stability Advisory Committee wrote in a statement.

The committee reaffirmed ICANN's call for VeriSign to suspend its SiteFinder service launched last week and participate in a review of its impact. However, VeriSign officials earlier that day rebuffed calls to stop the service. The committee also recommended that ICAAN consider its procedures to prevent sudden changes like VeriSign's redirect service and that the Internet Architecture Board and the Internet Engineering Task Force reexamine DNS specifications.

The ICANN committee issued its analysis and recommendations as the pressure mounts on VeriSign over SiteFinder. Also on Monday, a second lawsuit was filed against the Mountain View, Calif., company over the redirect service. ICANN registrar Go Daddy Software Inc., in a lawsuit filed in an Arizona federal court, is seeking an injunction against SiteFinder and claims that VeriSign is misusing its position as the domain registry for .com and .net.

SiteFinder redirects Web surfers to a VeriSign Web site when they mistype a Web address or enter a nonexistent one in the .com and .net domains. At the same time, ICANN's Security and Stability Advisory Committee found that the scheme also has interfered with other applications and services that rely on the DNS.

The problem originates within the DNS protocol specification itself. A query to the DNS with an incorrect or nonexistent domain name normally returns an error message, which on a Web browser typically appears as a page not found error. SiteFinder instead makes it appear to a requesting server that a domain name exists since it is redirected to a VeriSign server.

The problem extends to e-mail, where servers also must query the DNS. Where once an error message would have been returned saying that the domain does not exist, now e-mail often is just bounced back as if access were simply denied, said Steve Crocker, chair of the ICANN committee.

The change can undermine anti-spam software and services. Often, spam filters will first check whether the originating domain name an e-mail even exists. Even a non-registered domain name would now appear to exist since the query would bounce from VeriSign's server, Crocker explained.

We're tinkering with some basic plumbing here, so when you veer away from simplicity ... then things can get complicated and can fall apart, he said.

The committee has set up an e-mailbox to accept reports of security and stability problems arising from VeriSign's change. It also plans to hold a public meeting on Oct. 7 in Washington, D.C. on the issue.

For many relying on the Internet's core protocols such as DNS, VeriSign is setting a dangerous course. Bill Wood*****, research director at not-for-profit research institute Packet Clearing House, said that VeriSign's SiteFinder, which includes advertised links along with search results, is harmful for the Internet.

They are advertising at everyone else's expense and have destroyed Internet functionality that everyone is depending upon in order to advertise, he said.

Beyond the redirecting of traffic, VeriSign's move also is leading to countermeasures that further complicate the situation, Crocker said. The Internet Software Consortium last week released a patch to its Berkeley Internet Name Domain (BIND) software to block SiteFinder. In addition, some Internet Service Providers also are changing routing for certain Web addresses to avoid VeriSign's service. (For more information see Developer Moves to Neutralize Web Helper.)


eWeek