Forgot your password?
typodupeerror
The Internet The Almighty Buck Your Rights Online Technology

Verisign Considers Restarting Sitefinder 376

Posted by timothy
from the try-try-again dept.
Rosco P. Coltrane writes "The Washington Post reports that VeriSign is considering reviving its infamous search engine. 'Site Finder was not controversial with users' says VeriSign's Tom Galvin, and VeriSign 'assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems.' Such as leaving the DNS service alone for example?"
This discussion has been archived. No new comments can be posted.

Verisign Considers Restarting Sitefinder

Comments Filter:
  • by Quizo69 (659678) on Tuesday February 10, 2004 @06:25AM (#8235740) Homepage
    Those who forget history are doomed to repeat it...
    • by xpurple (1227) on Tuesday February 10, 2004 @06:27AM (#8235753) Homepage Journal
      If it is put back in place, then the backlash will no doubt force them to take it down again.

      It's just the way things go.
      • by AKnightCowboy (608632) on Tuesday February 10, 2004 @08:34AM (#8236218)
        If it is put back in place, then the backlash will no doubt force them to take it down again.

        Wow, and I was just starting to forget about how much I vehemently hated Verisign. It's always good when a company reminds you every once in awhile why you believe they're completely evil.

        Just a reminder to the DNS admins:

        zone "com" {
        type delegation-only;
        };

        zone "net" {
        type delegation-only;
        };
        • Don't be surprised if they launch it in a different way.

          For example, synthesising a pair of NS records for every non-existant domain rather than using wildcards. This will mean that this hack won't work, they are no longer using DNS "wildcards" per se, and all the concerns about protocol violation vanish.
          • Look at it this way - we now have a cast iron case for making the Internet core facilties like DNS a non-profit zone, probably nationalising them under the US (I'm a Brit and I'd prefer this to it being corporate) scheme of doing things, or giving control to the UN. Maybe it's about time we saw the US taking up .us domains too... The overwhelming majority of .com's and .net's are in the US, while most UK addresses are in .uk so maybe this new organisational body would eduacte on the benefits of having segre
            • by glwtta (532858) on Tuesday February 10, 2004 @11:22AM (#8237541) Homepage
              Maybe it's about time we saw the US taking up .us domains too...

              As soon as we figure out how to make everyone else use .them

      • by lspd (566786) on Tuesday February 10, 2004 @08:59AM (#8236324) Homepage Journal
        Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

        Not that I'm suggesting anything.
        • Why would spammers want to hurt VeriSlime?
        • If you want to have fun annoying spammers, one of the popular methods is to leave attractive-nuisance email addresses around on your web pages (or use CGI scripts that generate lots of these things.) If those addresses are at bogus domains, the spammers or the proxies or zombies they're abusing will do DNS queries, and if Verisign is giving them Sitefinder's IP address, they'll set up SMTP connections to Sitefinder's email-stub server instead of just dropping the connection. This makes it harder for the
        • Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

          It happens every day, the number of recorded DoS attacks against the core DNS is over 1000. There are DDoS attacks happening on a regular basis.

          MyDoom only took out SCO because they had a DNS server on a T1 link. It did not come close to taking out Microsoft.

    • by Anonymous Coward on Tuesday February 10, 2004 @06:56AM (#8235885)
      Those that repeat truisms are also forced to repeat them.
    • by RAMMS+EIN (578166) on Tuesday February 10, 2004 @08:07AM (#8236121) Homepage Journal
      `` Those who forget history are doomed to repeat it...''

      And, as jonadab put it, ``those who do study history are doomed to watch in frustration as it is unwittingly repeated by those who do not''
    • by ArbiterOne (715233) on Tuesday February 10, 2004 @08:28AM (#8236196) Homepage
      Especially since saying "...leaving the DNS service alone..." is redundant. DNS = Domain Name Service. That's like saying Domain Name Service service. Or like saying PIN number... or ATM machine...
  • Outsourcing (Score:5, Funny)

    by Anonymous Coward on Tuesday February 10, 2004 @06:26AM (#8235744)
    You think we might be able to outsource VeriSign to India?
  • by ggvaidya (747058) on Tuesday February 10, 2004 @06:27AM (#8235751) Homepage Journal
    This is .org and .com! When does Verisign's lease expire? Can ICANN turn over the license to someone else?
    • Because people let them. If more people pointed to alternative [open-rsc.org] root servers [adns.net], they wouldn't have as much power.
      • by bartjan (197895) <bartjan@vrielink . n et> on Tuesday February 10, 2004 @07:12AM (#8235939) Homepage

        How would choosing an alternate root server fix brokenness in the .com and .net tld's?

        They still point to Verisign's gTLD-server.net's nameservers for the .com and .net domains, so using these alternate roots won't solve this problem.

        Of course, you could set up your own alternate .com or .net TLD. Good luck in getting the full and updated list of all registered .com and .net domains and their nameservers :)

      • by blorg (726186) on Tuesday February 10, 2004 @07:30AM (#8235992)
        Nice idea, but the domain system only really works if we all agree on a single set of authoritative root servers. Otherwise you are effectively introducing another level into the DNS - go to 'www.mydomain.com2' is not very useful if you also have to append instructions on how to change your DNS servers. I can just imagine the voiceover at the end of the radio ads - very fast, and in the style of 'terms and conditions apply'.
      • by Llarian (158700) on Tuesday February 10, 2004 @07:31AM (#8235997)
        As has been pointed out time and time again on NANOG and other operational mailing lists, DNS hijacking is still DNS hijacking, regardless of how noble the intent is.

        From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.

        While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are. All that does is gives Verisign more fuel for their "technocratic elite" arguments in press releases.

        If you really want to fight this, tone down some of the passion and write to ICANN with legitimate concerns about the service and its effects. Crying foul about slimy business practices with no supporting evidence and a lot of sound and fury is a good way to make people who might be swayed agree with Verisign's claims of being attacked unjustly.
        • by zerocool^ (112121) on Tuesday February 10, 2004 @09:34AM (#8236551) Homepage Journal
          From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.


          Except for things like this:

          Option 1 -
          MailServer: "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, so I'm gonna go ahead and reject that spam."

          Option 2 -
          MailServer "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, it exists, let's look it up by IP to make sure it actually is the domain you're from... nslookup IP... ok, I'm going to go ahead and reject this, and either stop sending spam, or configure your reverse zones".

          Option 3 -
          MailServer: "OK, you sent this, I'm going to check and see if you're valid... nslookup domain... nslookup IP... fantastic! Welcome to my humble abode, and don't worry about that mail, it's been taken care of".

          Or, with SiteFinder, Option 4 -
          MailServer: "I hate my life. Are you a valid domain? Yes? No? I don't care, I'm barely here. My existance is meaningless, my spirit is broken. I think I'm going to cat /dev/urandom to a file for a while."

          ~Will
      • by RAMMS+EIN (578166) on Tuesday February 10, 2004 @08:19AM (#8236159) Homepage Journal
        Would using alternative root servert also allow domains with just one part? E.g. slashdot instead of slashdot.org?

        I find the TLDs a bit silly, since the general purpose ones lost much of their meaning (commercial websites have .org or .net TLDs), they are confusing (is the site for this norwegian company .no or .com?), most sites will want to have .com anyway, as it is sort of the de facto standard one, etc. So why don't we just dispose of the TLD, and the hostname, and call the website slashdot instead of slashdot.org?
        • by blorg (726186) on Tuesday February 10, 2004 @09:14AM (#8236404)
          Unfortunately, or otherwise, they just couldn't get critical mass and folded when MS took them out of IE [searchenginewatch.com] (possibly because they wanted to emphasise MSN search instead).

          There are good reasons for a hierarchy. Control is devolved, rather than concentrated in a single body. Each country has control of their own TLD, (excepting those that have sold it off) and believe it or not outside the US they *are* used, particularly for local businesses. And so on to the following levels: a domain owner has the freedom to set up as many third-level subdomains as they like (smtp.mydomain.com, pop3.mydomain.com, etc.). I don't know how this would work with a single-word system.

          Anyway, many browsers *will* try .com on the end if you type in a single word, or you can just stick your favourite sites in your hosts file:

          66.35.250.150 slashdot

        • Because then you would have massive numbers of name collisions between names like foo.net and foo and foo.bar, etc.

          Futhermore, the administrative structure of DNS is also based on the hierarchy, and having a flat name system would cause all kinds of issues.

          This would also prvent the introduction of new TLDs for fear of a name collision with the TLD itself.

          *Finally*, why would we alias *.com to a TLD? Folks in, say, the UK, might prefer *.co.uk.

          If you want "slashdot" to resolve to "slashdot.org", you ca
    • by BiggerIsBetter (682164) on Tuesday February 10, 2004 @07:23AM (#8235973)
      If they go ahead with this, I suspect we will find out...

      On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

      • On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

        I agree with the general idea. A company who resorts to this kind of behavior is hardly someone that can be trusted. This mindset affects their DNS operations today. What other areas of their business are next?

        Having said that - who is a suitable sub (

  • When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search.. (talking for users on School networks, with Windows terminals) which offers the option to use the great Hotmail (Spam Central), Shopping (at ridiculous prices, from the company which could afford to give us all we want free) etc.
    • When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search.

      There's a difference. Microsoft only do it at the application layer, with a particular browser that they provide. If you don't like it (and I can't see why anyone would), you can always switch to one of the many [mozilla.org] alternatives [opera.com]. Verisign's site finder operates at the DNS level. It's not as if you can choose to not use DNS, or switch to another name service.

      • That is fair enough.. but what about those of us unfortunate enough to be on a school network where we can't install a single thing (not even Mozilla Firefox, bird whatever..) And where we can't access settings. The other point was that for home users, many of whom do not know how to use the configuration to turn off M$ autosearch, it is just as bad as the Verisign is.
        • The complete wrongness of the way Verisign are going about it aside, I don't see why getting a search engine when you enter an incorrect domain is a bad thing in your web browser. I'd argue it's a feature. Sure, it could be a bit better labeled, but it's not like you were going to see anything else of use, was it?
          • by blorg (726186) on Tuesday February 10, 2004 @07:22AM (#8235971)
            Getting a search engine is fine, if that's within my control. That's a good *browser* feature. And with a good browser, you can configure such a feature to go where you want it to, or just to give an error message (my personal preference). The problem with Verisign's approach is that there is nothing to tell the browser that there was no DNS record, so you no longer have the choice.
            • by TyrranzzX (617713) on Tuesday February 10, 2004 @08:28AM (#8236192) Journal
              I often ask myself "what would be the most elegant solution to this problem?". To this, I believe the best elegant solution would be to simply blacklist verisign on your routers and add a static route translating their ip address to one that won't route, like 255.255.255.255 or 192.168.1.1. YOu can also use ACL's to accomplish the same, or firewalls.

              As for error generation, if you've got DNS redirection on your router (like on my cisco I can tell it to take one DNS name and rediect it to another, or take on IP and redirect it to a DNS name), you can redirect the DNS name to a fictional one, like

              "www.this.dns.name.doesn't.exist.net.com.org.bleg. ARGH"

              For those of you who don't have pretty routers, use the windows hosts file to do the same with DNS and IP redirection on your boxen.

              I'v got a feeling that if enough admins and ISP's blacklist their domain, they'll either get the message, or start trying to change IP's and whatnot. Inwhich case I believe ICANN will get real pissed at them dodging our blacklist for buisness.
          • by TEB_78 (748262) on Tuesday February 10, 2004 @07:35AM (#8236012)
            And as understand it some anti-spam programs does a lookup on the senders hostname to see if it's a valid hostname. If the lookup returns an error (not found) they send the mail directly to the trash.
            But with this service you will always get a hit. Which in turn renders this anti-spam program ineffective.
            Of course you could use other anti-spam tool, but this stops a lot of spam with fake hostnames.
          • by jimhill (7277) on Tuesday February 10, 2004 @07:51AM (#8236063) Homepage
            You do know that there's a lot more to the Net than the Web, right? And that having a website returned instead of the spec-ordered "No such domain" when you're using a different Net scheme (like email, or chat, or good ol' gopher) is fundamentally Wrong. If the Web were a distinct thing that had its own DNS then I doubt many would be grousing, save those whose profits just got diverted into VeriSlime's ShiteFinder pockets.

            ObInsult: Ya Jughead!
            • You do know that there's a lot more to the Net than the Web, right? And that having a website returned instead of the spec-ordered "No such domain" when you're using a different Net scheme (like email, or chat, or good ol' gopher) is fundamentally Wrong

              It's not returning a web page, though. Your DNS resolver asks for, and receives, the numerical address to which the domain name is bound. Now, the fact that it's your browser using the resolver means that your browser goes out and retrieves a web page u

        • by AllUsernamesAreGone (688381) on Tuesday February 10, 2004 @07:53AM (#8236070)
          ... where we can't install a single thing

          If you can save files somewhere (most schools give you space on a central fileserver) then you can install Fire.* - download to filespace, unpack, run program. No full-blown Windows Installer access required.

          And you're looking at the issue from the wrong perspective. Most admins couldn't care less what home users see when they type in the wrong URL: a search engine is a good as anything and probably the right thing to do for most people. What they do object to is the fact that wildcard DNS resolution breaks a lot of things end users never see but admins have to deal with on a daily basis - the resolution failure should be handled by the browser, not at the DNS level where there are times when you want a name that doesn't exist to not resolve.
      • It's not as if you can choose to not use DNS

        Actually, you can. But Slashdot would be awkward when called "66.35.250.150, news for nerds, stuff that matters" instead...

    • by ggvaidya (747058) on Tuesday February 10, 2004 @06:33AM (#8235777) Homepage Journal
      And firebird^H^H^H^Hfox does it for google ... it could be argued that's even worse than Microsoft, since there you get shot off on an I'm Feeling Lucky, while microsoft gives you a list of close matches and lets you choose one. I've had too many times when I mistyped a URL, got shot off to another page entirely, and then had to go back and do a "google URL" to find what I was looking for.

      Also, M$'s way sends you back to a Microsoft page - which is expected, since MS has a search service (along with one copy of every single other web application). But Mozilla choose Google fairly arbitrarily - why not use Yahoo? Or Wikipedia? And anyone who argues "it's the #1 search option" gets a free copy of IE, the #1 browser, from your good friends at Monopolysoft ;)
      • by infront314 (598911) on Tuesday February 10, 2004 @07:00AM (#8235898)

        You can change the url to anything you like.

        Just do a about:config and change the keyword.URL setting.

        I set mine to http://www.google.com/search?btnG=Google+Search&q= which is a regular Google search.

      • And firebird^H^H^H^Hfox does it for google ...

        Are you sure?

        I just tried a domain name that doesn't exist, and instead of being taken to Google or any other place, I saw a "www.randomdomainname.org not found" dialog box instead. It doesn't even give me an option to feed it to a search engine from there.

        IIRC, IE will take you immediately to a search engine without displaying any error message. This is the annoying and broken behaviour that the OP was talking about.

        Perhaps you've installed a plug-in or extension that is doing this?

        Also, M$'s way sends you back to a Microsoft page - which is expected

        No, it isn't. I expect it to say "domain name not found". End of story.

        • by nmg196 (184961) on Tuesday February 10, 2004 @08:44AM (#8236252)
          IIRC, IE will take you immediately to a search engine without displaying any error message. This is the annoying and broken behaviour that the OP was talking about.

          You recall incorrectly. If you type in a proper domain name, IE will just give you a "This page cannot be displayed - Cannot find server or DNS Error". It only tries to do a search if you type in non domain name type expressions. eg a phrase with spaces or a single word without any dots in it which doesn't match a local host.

          I expect it to say "domain name not found". End of story.

          That's exactly what it does say! Why do people keep confusing what happens if you type in *words*, with what happens if you type in a *domain*?

          Please *try* these things before posting misleading rubbish that will only spark further trollish messages.

          (I have tried all of the above in IE6)
    • True, but that is a browser thing. It doesn't break well-written applications that don't use MSIE (isn't that redundant?), and doesn't affect Linux/Mac users at all. This, on the other hand breaks applications through no fault of the original developers, forces ads down ppls throats with no means of changing it, and exploits a publicly trusted position.
    • by gowen (141411) <gwowen@gmail.com> on Tuesday February 10, 2004 @06:36AM (#8235796) Homepage Journal
      When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap
      Thats on the Web.

      But DNS is used for more than web look ups. If DNS returns spurious results for gethostbyname(), a typo in a SSH command, or nntp request will be seriously bjorked.

      I've no problem with Firefox (or IE) sending me to a search engine when I try to connect to a typo-ed web page: this is a reasonable policy to set at the application level
    • Thats a different issue entirely. Having a *browser* point you to a search engine is all well and good. You can modify this behaviour to suit yourself. But if the *internet* starts doing this stuff for you... well, it's not a pretty picture.
    • I believe that Microsoft's use of redirection on bad domains would also fail by Verisign's actions.
      I am sure, Microsoft wouldn't like that :)

      Imagine a dispute between MS and Verisign. Kind of Dr. Evil Versus Minime.

    • Yes, but that is only when you browse the web. When you mistype the address into anything else than a web browser (email address, ssh connection, ftp, vpn, ntp, Z39.50, any private protocol), the program is supposed to receive an error message, and handle it in some meaningful way. Instead the broken DNS gives you a sitefinder address, and your program tries to contact that. Most likely it will time out (in a few seconds), and report to the user that the server he wanted to contact is down. This causes lots
    • When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search [...]

      Or you can just use the Microsoft created and provided TweakUI to change this to go whatever page or search engine you desire. The key is it's user-controlled (heck they can just use another browser), not a change to the core system as this Verisign shenanegans is.
  • You would think... (Score:4, Interesting)

    by TehHustler (709893) on Tuesday February 10, 2004 @06:28AM (#8235756) Homepage
    ...that they would learn from past mistakes. But no, of course not.

    The problem is, are ICANN going to back down this time and let it slide, or are they going to continue to give Verisign hell over this, and pressure them, as they should definitely do?

    Are we likely to see another backlash from users and network admins?

    And will there be the same sort of media coverage that basically gave Verisign quite a bad bit of PR for 2 weeks.

    It seems like they have sneaked this out again with the minimal amount of fanfare in an attempt to try and stifle the opposition, but when you have so many people mistyping domains everyday, you cant really expect it to go unnoticed and not to piss people off.
    • by ivan37 (149147) on Tuesday February 10, 2004 @06:50AM (#8235864)
      There will be another backlash although obviously to a lesser extent. The biggest backlash will come from admins who will once again blacklist the corresponding Site Finder IP.

      The fun will start when Verisign starts not liking large ISPs blocking their users from accessing Site Finder and initiate a cat-and-mouse game of having Site Finder resolve to a ton of different changing IPs that the admins will have to keep up with.
      • by gclef (96311) on Tuesday February 10, 2004 @07:51AM (#8236060)
        Actually, rather than ban the SiteFinder IP, ISPs will probably just accelerate their plans to move to bind 9.2.3, so they can use the "delegation-only" option, which solves the problem once and for all.

        If you just ban the SiteFinder IP, Verisign can move it..and then you're just playing whack-a-mole. If you mark .com and .net as delegation-only zones, then bind will drop the SiteFinder responses as invalid, no matter what IP Verisign responds with.
        • by morganew (194299) *
          Pretty sure that VeriSign no longer uses BIND.

          [snippet from VeriSign website]

          Server Software
          VeriSign runs special name server software tuned to the requirements of authoritative name servers rather than recursive name servers. With this software, the VeriSign name servers boast exceptional performance, sustaining query rates an order of magnitude greater than the performance of a standard BIND name server.

          VeriSign name servers support the latest DNS protocol enhancements to insure maximum security, featu
          • Pretty sure that VeriSign no longer uses BIND.

            It doesn't matter what Verisign uses, your ISP (or you if you're running your DNS) configures your local DNS server with the option which prohibits types other than delegation records in the .com and .net zones. Verisign could be running Microsoft's DNS server for all we care as long as it talks the standard DNS protocols.

    • by blorg (726186) on Tuesday February 10, 2004 @07:51AM (#8236061)
      Verisign only operate .com and .net under contract from ICANN. Surely they can be prevented from relaunching Sitefinder under purely contractual grounds - previously ICANN was much against Sitefinder and threatened to sue [icannwatch.org], quoting breach of contract [icann.org]:

      "The contractual inconsistencies include, violation of the Code of Conduct and equal access obligations agreed to by VeriSign, failure to comply with the obligation to act as a neutral registry service provider, failure to comply with the Registry-Registrar Protocol, failure to comply with domain registration limitations, and provision of an unauthorized Registry Service."

    • by orthogonal (588627) on Tuesday February 10, 2004 @08:30AM (#8236204) Journal
      ...that they would learn from past mistakes. But no, of course not.

      They have.

      What they've learned is that outrage, like everything else, is a limited quantity.

      You and I can't spend afford eight hours a day, five days a week to watch and warn against Verisign.

      We have other things to worry about: Belkin using routers to spam, New York's Livingston County Social Services Commission letting confidential data get posted on the web, Johm Ashcroft eviscerating the Bill of Rights.

      But Verisign can trigger our outrage the first time around, back down in the face of our massed complaints, and then, like a spider in its hole, wait patiently until the time is ripe to strike again.

      Just like the Department of Justice and the proposed "Patriot II" law; they withdrew it after furious opposition, wait a while, and then got key provisions passed after everyone had relaxed.

      Verisign is banking that each time around, they'll be a few less people able or willing to work up any outrage, until only a small minority objects -- a small minority that can be derided with a dismissive comment about "tin foil hats".

      This is why we need organizations like the EFF and EPIC (and the ACLU): so the we have someone in out corner who, like a Verisign employee, is paid five days a week to watch for and counter these outrages.

  • by ralmeida (106461) on Tuesday February 10, 2004 @06:29AM (#8235759) Homepage

    'Site Finder was not controversial with users'

    It wasn't controversial at all. Everybody agree it was a bad idea.

  • Mirror (Score:5, Informative)

    by Ddalex (647089) on Tuesday February 10, 2004 @06:31AM (#8235767)
    Fast mirror here [mirroredby.go.ro]. Enjoy the Net exploatation !
  • the sooner (Score:5, Interesting)

    by narkotix (576944) on Tuesday February 10, 2004 @06:33AM (#8235776)
    they take .com and .net out of verisign's hands the better. Its just unfortunate that this will misinform new people AND generate more needless traffic because of the returned page. Did the search page ever have preferences to certain websites? or was it truly independent? If i typed in server software would it bring up xxx penis extensions because some idiot put in metatags or would it bring up true results?
  • by Channard (693317) on Tuesday February 10, 2004 @06:35AM (#8235791) Journal
    'Site Finder was not controversial with users'

    And in other news, the US forces were crushed in Iraq, Mars Beagle did not go missing and has been transmitting pictures for many days, and these aren't the droids you're looking for.

  • MyDoom.D (Score:2, Funny)

    by dew-genen-ny (617738)

    And in other news, techno soothsayers predict that verisign is going to be the target of a large DDos attack in the near future......
  • by daem0n1x (748565) on Tuesday February 10, 2004 @06:39AM (#8235807)
    That's what we get by having corporations managing the Internet infraestructure instead of a public service. Some people talk about censorship, but if the corporations actually have the nerve to do something like this, whow long does it take until censorship sets in?
  • The full paragraph from the internal Verisign report reads:

    "Studies in Outer Mongolia showed that our Site Finder service was not controversial with users of the Trans-Himalaya Yak Courier Service. Everyone else on the planet, including Arawoyo Pnu (34) from Upper Amazonia, found the service both useless and obnoxious. We therefore recommend renaming the Site Finder service to 'Yak Finder' in order to better exploit the Outer Mongolian market."
  • The main tenet of Nazi propaganda was that the public is more likely to believe a big lie than a small one.

    Seems to be a philosophy the PR flacks for VeriSign and SCO subscribe to wholeheartedly.

    "You have to license your Linux installation from us." "Everybody likes Sitefinder." "I was singing in a church choir in Cucamonga when the murder happened." "I won't cum in your mouth."

    Sheesh.

  • by Anonymous Coward
    God will roast ICANN stomachs in hell at the hands of Verisign.

    I can say, and I am responsible for what I am saying, that they have started to commit suicide behind our firewalls. We will welcome them with bullets and shoes.

  • by Anonymous Coward
    "Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service,.."

    Hmm, I wonder how they selected those users ?

    Something like this ?

    Are you running Windows, Mydoom, Kazaa, and you don't care about privacy or legal issues ? Have we got a poll for you !
    • Re:VeriSign Poll (Score:3, Insightful)

      by beuges (613130)
      I know you were trolling, but anyways...

      Actually, it makes sense to me that 84% of _users_ would not find it controversial, because typically, users wouldn't know or care about the implications that this will have behind the scenes. Now if Verisign was to quote the percentage of developers, administrators, and people who actually know what a bad thing this is, you'd have a more realistic figure.
  • by mr_walrus (410770) on Tuesday February 10, 2004 @06:50AM (#8235863)
    can someone be blamed for doing a denial of service
    to a site that Does Not Exist ?

    how about some scripts to pump out requests to a fairly
    limited set of known to be Non-Existent domains...

    could this possibly cause an interesting burden on Verishit's servers?

    would the name lookups themselves affect DNS too badly to
    cause innocent collateral damage? i'd hope caching of a limited
    set of non-existent names would avoid much dns load.

    just curious, academic musing and all that...
    • by ColourlessGreenIdeas (711076) on Tuesday February 10, 2004 @07:03AM (#8235911)
      Last time they were accepting emails to non-existant domains too. If everyone makes sure they have lots of web pages with long lists of email addresses in nonexistant domains then the spammers will spend a significant fraction of their bandwidth DOSing verisign instead of hassling the rest of us.

      In your idea, remember to get the script to follow all the paid-for links. The advertisers will have to pay for the hit, and will soon realise they're getting bad value for money. And you can still identiy site-finder DNS entries easily, so you could just mis-spell random real web sites and see if they point to site-finder.
  • Contact Verisign. (Score:5, Informative)

    by MooKore 2004 (737557) on Tuesday February 10, 2004 @06:51AM (#8235867) Homepage Journal
    All slashdotters, espeically people that were seriously affected by sitefinder, please complain NOW. [verisign.com] Let them know how controversial it is!
  • Troubleshooting (Score:3, Interesting)

    by justinmc (710870) on Tuesday February 10, 2004 @06:54AM (#8235879)
    I don't know about you guys, but this made troubleshooting a pain for me. Me: you are not able to access the server? User: But I can ping it??? Me:Is it giving back (Sitefinder IP - can't remember it) User: Yes - it is responding, why can't I access it???? Me: Well you see, DNS works by... User: I don't care, fix it Me: But........
  • Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."

    In our recent article a number of mistakes slipped past our content review processes. In this case "destroy" was incorrectly spelled "innovate". Also "ideological" clearly was meant be "correct". Likewise "narrow section" appeared instead of "all".

    We apologise for these errors and any confusion they might have caused.

  • by Tom (822) on Tuesday February 10, 2004 @07:24AM (#8235980) Homepage Journal
    "Site Finder was not controversial with users"

    Hm, let's see:

    a) Right. It just was extremely controversial with those who didn't use it (i.e. everyone else, like 99% of the Internet users)

    b) Right, it wasn't controversial. Everyone agreed that it's a bloody fucking stupid thing.

    c) Right, it wasn't the Sitefinder page itself that we all hated, it was Verisigns "bend over, here we come" attitude of forcing it on everyone, whether they wanted to or not.

    Now that's three ways how he's saying the truth. Can't really argue with that, can you?
  • 60 to 90 DAYS (Score:4, Insightful)

    by RAMMS+EIN (578166) on Tuesday February 10, 2004 @08:05AM (#8236113) Homepage Journal
    60 to 90 days to patch every network utility out there to work around the DNS breakage. ROFL.

    Oh, wait, that's NOT funny.
  • by etherkill (621738) on Tuesday February 10, 2004 @08:31AM (#8236210)
    I'm with the general consensus who feel that this is a 'very bad thing'. However - ICANN made a big mistake in announcing it would undertake 'reviews'.

    They should have simply given a big fat NO to Versign's Sitefinder in the first place.

    Leaving the subject open for discussion was a big mistake, IMHO.

  • Let them. (Score:5, Interesting)

    by Stormbringer (3643) on Tuesday February 10, 2004 @08:31AM (#8236211)
    The annoyance factor and the outrage will be big pushes for the OpenDNS idea, especially once the cc people wise up and get on board to stop the extortion.

    Maybe ICANN won't notice as everybody migrates away from their little empire of root servers until everybody's already used to the idea; that will eliminate the 'single point of political failure'.

    Verisign is busy proving all over again that FLOSS has been demonstrating: when it comes to the Internet, the only people you can trust are everybody.
  • Mihh (Score:5, Insightful)

    by BenBenBen (249969) on Tuesday February 10, 2004 @08:43AM (#8236250)
    Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
    So, to paraphrase, it'll be hard to convince the public that SiteFinder is any good, becuase the people who say it's useless and buggers up the internet know what they're talking about.

    I *heart* corporate thinking.
  • by RGautier (749908) on Tuesday February 10, 2004 @08:48AM (#8236270) Homepage
    The Internet is a connected suite of protocols that work off of a similar top layer of technology, permitting multiple types of information transfer. Granted, the WWW, being the kick-ass application it is, is a very large part of this. However, what people ALWAYS fail to realize is that Electronic Mail, FTP, SSH, Telnet, Internet Gaming, X-Windows, ICQ, AIM, and every other Internet program under the sun utilizes DNS to try to get where it's going. When Verisign turns on its crappy service, what happens is that every OTHER program that relies on host names will be SCREWED UP. Why? Because instead of an error message that says you are trying to access a host that doesn't exist, you'll get a message that is much more similar to the fact that the host is unavailable! That means when you send an email message to dumbshit@verisiggn.com by mistake, instead of getting a response back immediately that you typed in a bad address, your message will sit in a queue for 3 days, and then you'll get an error message saying that your recipient couldn't be reached. This will cause you to contact your system administrator, and waste hours of his time, and time at other remote administrators because no one will catch the typo until after they've exhausted all the possible reasons your mail systems cannot talk to each other. System Admins RELY on error messages that make sense. When those are absent, answering user questions of 'It doesn't work - fix it' is VERY VERY DIFFICULT. This message is just for those of you who appear to not have a clue just how much frustration this causes, and who think that this makes even a modicum of sense to do.
  • by ReadParse (38517) <john@@@funnycow...com> on Tuesday February 10, 2004 @08:51AM (#8236281) Homepage
    Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.

    Come again? Since when are "highly regarded technologists" given a second thought by the average user? Their thinking is...

    "Let's see... www dot... oh, I hate these computers... where's the g? hootmaail.como... there! Wait, that's not my mail. This is... uh... oh yeah, silly me. I spelled it wrong. Yes, that's the one I want... I'll that... wait... online dry cleaning... I need THAT."

    And that is the END of the thought process. They don't think about whether or not it's a helpful service unless a surveyor puts a gun to their head and makes them commit one way or the other. They certainly don't think about asking the "highly regarded technologists".
  • by hqm (49964) on Tuesday February 10, 2004 @09:09AM (#8236385)
    There is an interview with Stratton Sclavos,CEO of Verisign, at http://news.com.com/2008-7347-5092590.html.
    SclavosThe reason Site Finder became such a lightening rod is that it goes to the question of are we going to be in a position to do innovation on this infrastructure or are we going to be locked into obsolete thinking that the DNS was never intended to do anything other than what it was originally supposed to do?

    Q:Still, a lot of people in the Internet community were quite surprised by Site Finder--and then you had complaints surfacing that it was not complying to approved standards.

    Sclavos:Let's break the argument down: The claim that Site Finder was nonstandard and that we should have informed the community we were doing something nonstandard--excuse me: Site Finder is completely standards-compliant to standards that have been out and published by the IETF (Internet Engineering Task Force) for years. That's just a misnomer. The IAB (Internet Architecture Board) in its review of Site Finder said the very same thing--that VeriSign was adhering to standards.

    His definition of "standards-compliant" is a cynical and deceptive one. Sure, the SiteFinder is complying with the standard, in that it is returning well formatted packets. However the content of those packets are lies. They are lying by saying that domains exist when they do not, in order to fool web browsers into loading the commercial content that Verisign wants to get to web surfers.

    It is analogous to saying that if I put a detour sign in the middle of the freeway to direct traffic to my shopping mall, that I am obeying the traffic sign protocols.

    The comment about "ninety-nine percent of the traffic is pure HTTP" is a shorthand way to sum up why it is not possible to communicate with Verisign's executives, and why they must be stopped and soon.

    Because it wouldn't matter if one hundred percent of the traffic on the internet were HTTP, it still is not a reason to break DNS in order to insert advertising. The "service" they claim to be providing should be provided by the browsers, giving everyone a chance to implement their own solution to the problem of mistyped domain names. Then many possible solutions to this issue can be innovated. By breaking DNS to lie about the existence of domain names, they actually prevent anybody else from providing any solution. This is the exact opposite of innovation. And they are smart people at Verisign, they clearly and obviously know all this, and yet they are lying to every one about it. And that, in a nutshell is what makes me more furious about this than any other Internet legal issue has in a long long time, maybe ever, or at least since Network Solutions took the .com database offline and made it their own private property.

    There was a story I heard once, about a company (Novell ?) which implemented their own file transfer protocol over the network. They did not use exponential backoff on retransmit, which made their protocol look much faster than TCP/IP. It would in fact hog all the bandwidth, bumping out all the more polite and well behaved protocols. This was great for them, but in fact as the network approached saturation, the system would fail catastrophically, for reasons obvious to Internet protocol designers.

    At some meta-level, this is what is happening to the Internet itself now. Verisign is itself like the bad protocol, which does not play well with others. It is taking advantage of an opportunity which gives it a short term advantage, while degrading the entire network protocol infrastructure.

    • I've worked with file transfer protocols that didn't use backoff. However they required someone configure the maximum bandwidth they could use, and assumed a leased line. Sure you were running over IP, but you had dedicated bandwidth.

      In the case of high latency links (think geosynchronous satelites) the standard TCP implimentations do not have a big enough window to saterate a link. If you bought a link with guaranteed bandwidth with an application in mind that needed that much, you need to write your

  • by clickety6 (141178) on Tuesday February 10, 2004 @10:02AM (#8236748)
    Everybody knows what to expect when you mistype a DNS name - pages of porn!

  • by kindbud (90044) on Tuesday February 10, 2004 @10:32AM (#8236990) Homepage
    I say no. That the core is dumb is one of the reasons the internet is available to everyone. That the core is dumb is one of the reasons it is so reslient. That the core is dumb is the reason we can assign stewardship - not ownership - to Verisign, and yank it away from them when they misstep.

    Keep the core dumb. No innovation is necessary or wanted.
  • Sitefinder is like discovering your receptionist has decided to redirect all wrong phone numbers to her cousin's "dial-a-psychic" service, and the janitor's been putting ads for his brother's body shop on everyone's desk.

    Verisign doesn't own the "product" they're selling, they're just operating it for ICANN. This is no more a legitimate business than, oh, the original Napster was.

HEAD CRASH!! FILES LOST!! Details at 11.

Working...