Not really operational content, but I was wondering if there was an
intellectual property issue with the Verisign .com/.net redirect?
For instance, <http://searchthewebwithgoogle.com/> brings you to a
Verisign search engine.
Or, even better, <http://getyourdomainnameatregister.com/> will bring you
to a Verisign website.
Alex Kamantauskas wrote:
Not really operational content, but I was wondering if there was an
intellectual property issue with the Verisign .com/.net redirect?
Not sure about IP, but there are privacy issues. Verisign has intentionally redirected all email that was mistyped on the recipient to their server. Instead of immediately rejecting and terminating the connection, they allow the send to issue 3 commands, which would typically give them the sender and rcpt information where previously the information would not leave the originating mail server. How could this be construed as anything but address harvesting and a breach of privacy?
In addition, at no point has Verisign obtained permission to steal information in this way. They are eavesdropping! Every time I've checked, port 80 was down on the destination IP, but 25 was running full speed. It makes me wonder if their real intent wasn't to collect that information to begin with.
-Jack
Regardless of Verisign's intent, there are definite privacy concerns here.
Verisign is now able to obtain all URL information from a browsing session
in which the domain name is mistyped (and the domain doesn't exist.) This
is of secondary concern to the NANOG list, which has been preoccupied with
the numerous technical and political problems this change poses, but is
nonetheless very serious.
Whereas ISP-provided search pages, such as AOL's, or local browser search
pages, such as IE's will be presented under identical circumstances (the
user mistypes a domain name), they don't have the same privacy problems
associated with them. As Microsoft's features are client-side, no user
information is leaked without the user's knowledge. And as the user is
already entrusting AOL, as her ISP, with her privacy, the problem is moot
there as well. Prior to this change, users never had to consider that
Verisign might be obtaining and recording their URL requests.
The email problem has been discussed here a bit more than the URL
requesting issue, and is troublesome in a number of other ways. The
potential for spam, the lack of clear reporting of a typo failure, and the
potential for privacy violations via the harvesting of email addresses,
and email address sender/recipient correlation are of concern.
Anonymizer has modified our name servers to correctly report unregistered
domains as such. Users of our anonymous web browsing proxy service are
protected from the web privacy problems created by Verisign's change;
users of our SSH tunneling service are protected from both the web and
email privacy problems.
We hope that Verisign will reconsider their actions. In the mean time,
we'll be doing everything we can to mitigate the risks to our users.
--Len.
As Microsoft's features are client-side, no user information
is leaked without the user's knowledge.
Do you have any form of evidence to support that proposition?
s/is/should be/ and I might have been with you ... 
We hope that Verisign will reconsider their actions. In the mean time,
we'll be doing everything we can to mitigate the risks to our users.
As will we.
Well, things may have changed since I looked at it, but I recall that not
too long ago, a mistyped domain name resulted in a local page being
displayed, which offered to let the user connect to MSN's search site.
Are users now redirected to Microsoft automatically?
I just checked this again, and in fact I was incorrect -- the requested
URL is passed to search.msn.com. That's unfortunate.
(Our proxies return their own "site not found" page, so our users won't
encounter the MSN when using our system. It is still a privacy concern for
general users, for the some of the same reasons as I stated regarding
Verisign. At least it doesn't appear to have the same XSS issues that
Verisign does, though.)
This is the best point of attack I believe. A quick review of the WIPO
domain decision archive: http://listbox.wipo.int/domain-updates shows that
domains registered in bad faith, for example wwwcdw.com, are usually ruled
against. If the individual domain holders take issue with their own
domains, both through WIPO, and what I feel will ultimately need to happen
for this madness to stop, the courts, then Verisign can be stopped.
Millions of domains registed in bad faith.
http://wwwford.net/
http://worldnetatt.net
http://wwwlightreading.net
http://wwwcnn.net
andy