Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Businesses The Almighty Buck The Internet Your Rights Online

SiteFinder: the Verisign Slides 23

Posted by timothy from the what-they're-up-to dept.
Steve Loughran writes "It's been pretty quiet in public on the SiteFinder front, but it does not mean that VeriSign are accepting defeat. On October 15, the ICANN Security and Stability committee met to discuss it, as can be seen from the long transcript. The new item from this is a VeriSign review of Site Finder, which is very interesting." Loughran further analyzes the Verisign presentation, below.

Some key points:

  1. English-only responses only merits a 'moderate' response. I am sure the rest of the world thinks their language is only 'moderately' important.
  2. A lot of problems are viewed as minor, fixable with 'user education' or 'application patch'. I wonder if DNS patches were the application VeriSign expected us to patch?
  3. Apparently most spam doesnt forge sender domains; only 3-5%. So checking domain validity doesn't help much as an effective spam filter. A SpamAssassin representative commented that there are so few invalid domains in their corpus is that they get filtered earlier, so this data may be bogus.
  4. An acknowledged troublespot could be automated HTTP programs getting confused by the new responses, but they hadn't heard of that, and using HTTP over port 80 in this way by automated tool is discouraged according to BCP 56 .
  5. User studies liked it, but since the core finding was "there's more functionality than you get with a 404 so it's helpful for me", the study may have been flawed. Site Finder did nothing for 404 pages, only for unknown hosts.
  6. Most of the problems with services such as SMTP relate to misconfigured systems, and these did not show up with the small scale tests VeriSign tried.
After the presentation, the transcript shows some good feedback from the audience -ripping into the end user survey, for example, and trying to understand the relationship with other registrars. It is notable that the only two user groups considered are (a) registrars and (b) end users. The wants and needs of people who implement networked applications or support them are neglected because we are seemingly invisible.

I myself am most offended by the "we shouldn't be automating access over port 80" comment. Hello? VeriSign? What do you think Web Services are?

While Site Finder was up, I tested how SOAP stacks handled misconfigured addresses: the results are published on xml.com. Both SOAP stacks tested choked on the 302 response, giving errors to the clients that are nowhere near user intelligible. So VeriSign are making things harder, despite their apparent obliviousness or denials. I shall be sharing my data with VeriSign, and encourage anyone else to do the same."
This discussion has been archived. No new comments can be posted.

SiteFinder: the Verisign Slides More

SiteFinder: the Verisign Slides

Comments Filter:
  • Darn it, *what* am I going to do with a PowerPoint document? Can someone please post a conversion (possibly PDF?)

    I wish Slashdot would make a policy against .doc, .ppt, .xls, and finally officially ban NYT links (every other site that requires registration *except* NYT is specifically disallowed).

  • Web Bugs are okay - Verisign.. (Score:4, Insightful)

    by Oddly_Drac ( 625066 ) on Wednesday October 29, 2003 @12:22PM (#7338372)
    "Jim Galvin: that's okay. One is the -- he's going to fix them for me.


    Somebody asked, as follow-up question that Verisign did we correctly hear them say that they're not collecting any personal data of course and they said that multiple times that's a clear statement. However can you comment on the presence of the web bug in the SiteFinder webpage?

    Scott Hollenbeck: the web bug exists. That was asked at our last session of we have plans to cut back on the information that's being passed from via -- the web bug to the URL. We have one of our development managers, Joel Nylund, if you wanted to say anything more about that.

    Joel Nylund: other than we're passing the whole URL we plan to (inaudible).

    Scott Hollenbeck: he said what I said. it's going to be changed to pass back only the minimal information.

    Steve Crocker: is there an opt-out mechanism?

    Ben Turner: the way we do the web bug is compliant with the standards that exist. It is a typical implementation for this type of bug.

    Steve Crocker: I'm speechless. "


    He's not the only one. For one thing there are privacy implications _outside_ the US.

  • PDF of PowerPoint presentation (Score:2, Informative)

    by Anonymous Coward
    PDF available here [missouri.edu].

    (posting anonymous - just say no to karma whoring)

  • Putting too much trust into them? (Score:3, Informative)

    by nologin ( 256407 ) on Wednesday October 29, 2003 @02:28PM (#7339671) Homepage

    I am sure that a lot of people will like Verisign's comments about handling traffic other than http.

    Instead of returning a host not found, we will return another type of error (TCP reset for example) to the client application.

    I know that some computer users know nothing about DNS, IP addresses, etc. But, who is there to say for sure that something will send a TCP reset? What if someone were to change it to now accept mail (using SMTP as an example)?

    While it most likely won't happen, I can't trust these folks further than they can throw the person responsible for false renewal notices. I think the Verisign marketing departement takes the cake by coming up with the most destructive ideas to boost their bottom line.

    • That is a good point. They have already changed HTTP behaviour. If you write some hot new HTTP successor app, how long before they decide to answer failed lookups with their marketing front end, rather than valid data.

      What if they started to reply to senders with suggestions for valid email addresses, maybe with adverts for ink cartridges at the bottom.

      What if they cached all to and from addresses to add them to their list of 'consenting' users.

      Verisigns perspective was if it is technically feasible, the
    • it just goes to show how moronic they are, i mean, its pretty simple, if the host cannot be found, then the program should be told, not something like a tcp reset. where they not parroting on about caring about standards or something....

      verisign blow. All this extra work for people just cause they want to make the sleazy buck, bastards.
  • From the article:

    Issues more likely to occur with at least moderate impact & how addressed:

    English-only web page
    can be addressed by service operator

    End-user error reporting
    software update required

    Spam filtering
    filter update required

    Automated HTTP tools
    software update required

    Resolvers with non-DNS fallback
    software update required

    Using DNS to check domain availability for registration purposes
    software update required

    Email delivery
    most issues can be addressed by service operator

    In other word
    • Yes, it would be funny if it wasnt true. In exchange for the search revenue they are prepared to break everything.

      Only one person in the transcript (read it, if you havent), asked 'what about the app developers -dont you have an implicit contract not to return wildcards', and Verisign replied "we only care about the standards", meaning no.

      So the people who write the apps that make DNS lookups dont get consulted, dont get listened to, just get given extra work.

      Yet if hadnt been for the app developers, th
  • Future applications: applications could check for a wildcard A record, detect synthesized data in a response and take appropriate action...

    Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software? I'm interested in embedding it in all my future applications.

    • Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software? I'm interested in embedding it in all my future applications.

      What happens when you write one and they decide to change the fundamental behavior of the Internet without telling anyone? BAM your program doesn't work anymore!

      See, they still win!

    • Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software?

      Use a scriptable HTTP client, such as Wget or Curl, to bombard http://sitefinder.verisign.com:80/ with valid requests. I wrote a short C program [jk0.org] (no, I haven't had time to sit down with the llama book to learn Perl, and I needed a test case for my safe string library anyway) that does just this.

  • Another point to take away from the transcript is that Verisign was unwilling to show anybody the text of the surveys they paid to have conducted. The Eschalot claims to have "copies" of the surveys ( http://www.theeschalot.com/verisign-survey-text.h tml [theeschalot.com]), and I have to guess that isn't too far from right.

    It only stands to reason that if you want to claim everybody loves your new service, and if everybody doesn't, you ought to have to show some legitimate reason for claiming they do.

    'course, being a mon

Slashdot Top Deals

Lots of folks confuse bad management with destiny. -- Frank Hubbard

Close