One thing I haven't seen mentioned in all this is the incredible business
monopolizing effect this move will have on the TLD's in question. It
dramatically shifts the domain playing field in Verisign's favor by
millions of potential customers to their site(s) specifically, giving
millions of dollars in free advertising eye-time over any of the
I don't see how this eye-time can be translated into millions of dollars.
But it is clear that Verisign are making money by selling sponsored
links to people who sell spamming services and software. And it is
also clear that this redirection of traffic allows them to amass
a large database of email addresses that are current, active and
which belong to people who don't always check things carefully
before acting, i.e. the To: email address was mistyped. They could
make a lot of money selling that list of email addresses to spammers.
And they could also sell a lot of the mistyped addresses after
"correcting" the domain name portion by supplying the closest
matches from the .COM and .NET database.
I wonder how anyone can continue to trust a company like this as
a certificate authority. They seem to have attracted the breed of
get-rich-quick management who want to make money by scamming
the public and selling very unsubtantial things like names(.COM)
and numbers (SSL certs). I don't pretend to believe that we can
stop fast-buck artists from running these sorts of scams but we
have to find alternative sources for SSL certs from companies
whose business model lies squarely in the world of security and
trust. That clearly excludes Verisign.
Any company with such shoddy business practices that they
can unleash this technically flawed redirection of traffic without
proper testing and public consultation is also a soft target
for infiltration. As was already mentioned, it is only a matter
of time before a criminal gang infiltrates Verisign and launches
man-in-the-middle attacks on the banking system. There are already
people that are specifically targetting banks by installing
surreptitious keyloggers on computers that sniff out Internet
banking passwords. This would be far more effective if the
keyloggers were installed by a man-in-the-middle so that they
were targetted only at the intended victims.