Verisign Considers Restarting Sitefinder

Rosco P. Coltrane writes "The Washington Post reports that VeriSign is considering reviving its infamous search engine. 'Site Finder was not controversial with users' says VeriSign's Tom Galvin, and VeriSign 'assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems.' Such as leaving the DNS service alone for example?"

Proof that some people never learn

[Quizo69]

Those who forget history are doomed to repeat it...

Re:Proof that some people never learn

[xpurple]

If it is put back in place, then the backlash will no doubt force them to take it down again.

It's just the way things go.

Re:And microsoft does this anyway to all windows u

[ggvaidya]

And firebird^H^H^H^Hfox does it for google ... it could be argued that's even worse than Microsoft, since there you get shot off on an I'm Feeling Lucky, while microsoft gives you a list of close matches and lets you choose one. I've had too many times when I mistyped a URL, got shot off to another page entirely, and then had to go back and do a "google URL" to find what I was looking for.

Also, M$'s way sends you back to a Microsoft page - which is expected, since MS has a search service (along with one copy of every single other web application). But Mozilla choose Google fairly arbitrarily - why not use Yahoo? Or Wikipedia? And anyone who argues "it's the #1 search option" gets a free copy of IE, the #1 browser, from your good friends at Monopolysoft ;)

Re:And microsoft does this anyway to all windows u

[Anonymous Coward]

At least what microsoft does affects the operation of one specific browser, the Microsoft Internet Explorer. And yes, Microsoft gives you the ability to change this behavior from the Advanced Tab of the Internet Settings by Choosing "Do not Search from the Address Bar".

On the other hand, what Verisign does, affects the operation of any application that relies on DNS to connect anywhere.

Re:And microsoft does this anyway to all windows u

[cgranade]

True, but that is a browser thing. It doesn't break well-written applications that don't use MSIE (isn't that redundant?), and doesn't affect Linux/Mac users at all. This, on the other hand breaks applications through no fault of the original developers, forces ads down ppls throats with no means of changing it, and exploits a publicly trusted position.

Re:And microsoft does this anyway to all windows u

[gowen]

When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap

Thats on the Web.

But DNS is used for more than web look ups. If DNS returns spurious results for gethostbyname(), a typo in a SSH command, or nntp request will be seriously bjorked.

I've no problem with Firefox (or IE) sending me to a search engine when I try to connect to a typo-ed web page: this is a reasonable policy to set at the application level

That's what we get with corporations

[daem0n1x]

That's what we get by having corporations managing the Internet infraestructure instead of a public service. Some people talk about censorship, but if the corporations actually have the nerve to do something like this, whow long does it take until censorship sets in?

Re:You would think...

[ivan37]

There will be another backlash although obviously to a lesser extent. The biggest backlash will come from admins who will once again blacklist the corresponding Site Finder IP.

The fun will start when Verisign starts not liking large ISPs blocking their users from accessing Site Finder and initiate a cat-and-mouse game of having Site Finder resolve to a ton of different changing IPs that the admins will have to keep up with.

An extension of this idea

[ColourlessGreenIdeas]

Last time they were accepting emails to non-existant domains too. If everyone makes sure they have lots of web pages with long lists of email addresses in nonexistant domains then the spammers will spend a significant fraction of their bandwidth DOSing verisign instead of hassling the rest of us.

In your idea, remember to get the script to follow all the paid-for links. The advertisers will have to pay for the hit, and will soon realise they're getting bad value for money. And you can still identiy site-finder DNS entries easily, so you could just mis-spell random real web sites and see if they point to site-finder.

Re:Why is a profit-company in such a central role?

[bartjan]

How would choosing an alternate root server fix brokenness in the .com and .net tld's?

They still point to Verisign's gTLD-server.net's nameservers for the .com and .net domains, so using these alternate roots won't solve this problem.

Of course, you could set up your own alternate .com or .net TLD. Good luck in getting the full and updated list of all registered .com and .net domains and their nameservers :)

Fine, if it's within your control

[blorg]

Getting a search engine is fine, if that's within my control. That's a good *browser* feature. And with a good browser, you can configure such a feature to go where you want it to, or just to give an error message (my personal preference). The problem with Verisign's approach is that there is nothing to tell the browser that there was no DNS record, so you no longer have the choice.

DNS only works well with single authoritative root

[blorg]

Nice idea, but the domain system only really works if we all agree on a single set of authoritative root servers. Otherwise you are effectively introducing another level into the DNS - go to 'www.mydomain.com2' is not very useful if you also have to append instructions on how to change your DNS servers. I can just imagine the voiceover at the end of the radio ads - very fast, and in the style of 'terms and conditions apply'.

Re:Why is a profit-company in such a central role?

[Llarian]

As has been pointed out time and time again on NANOG and other operational mailing lists, DNS hijacking is still DNS hijacking, regardless of how noble the intent is.

From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.

While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are. All that does is gives Verisign more fuel for their "technocratic elite" arguments in press releases.

If you really want to fight this, tone down some of the passion and write to ICANN with legitimate concerns about the service and its effects. Crying foul about slimy business practices with no supporting evidence and a lot of sound and fury is a good way to make people who might be swayed agree with Verisign's claims of being attacked unjustly.

Re:And microsoft does this anyway to all windows u

[TEB_78]

And as understand it some anti-spam programs does a lookup on the senders hostname to see if it's a valid hostname. If the lookup returns an error (not found) they send the mail directly to the trash.
But with this service you will always get a hit. Which in turn renders this anti-spam program ineffective.
Of course you could use other anti-spam tool, but this stops a lot of spam with fake hostnames.

Re:capitalism at its best...

[Lucky_Norseman]

Also, this community has lots of weight in the recommendation og technical solutions.

"Yes boss, we could use Verisign, but I spent some hours last night finding alternative solutions that are both better and cheaper. Here they are."

How many companies are looking to work with SCO these days?

Isn't there anything we can do?

[lofoforabr]

Can't we do something, I mean, something to legally make them pay for it?
Verisign has a long story of abuse with DNS, and we should be able to do something more than bitch about it or make technical workarounds (ie, patches to dns) about it.
Perhaps a petition to ICANN with enough signatures to make them revoke Verisign's contract?

Re:And microsoft does this anyway to all windows u

[tfb]

As others have pointed out, that's not the same thing at all: what Verisign want to do is to usurp the basic look-up-a-name service.

In fact, I'd expect Microsoft &co to *strongly* object to this, since what it will mean is that dns lookups will eseentially never fail, so you'll never see the search page from IE &c. Essentially Verisign are going to start providing the service that MS now does for IE users, and google now does for Mozilla!

60 to 90 DAYS

[RAMMS+EIN]

60 to 90 days to patch every network utility out there to work around the DNS breakage. ROFL.

Oh, wait, that's NOT funny.

Re:You would think...

[gclef]

Yes, it would. But, that forces Verisign to build a lot of infrastructure, which they don't have in place right now. Right now, they're just using the gtld-servers, which can handle a lot of load, and the wildcard isn't adding any load to that. If they give the system NS records and point them somewhere else (likely the only way to get around delegation-only), then they have to build up a set of SiteFinder DNS servers to handle that query load, which will be an infrastructure and operational expense they weren't planning on. They had to build the webserver cluster, sure, but the cluster they had was clearly not up to the task (kept crashing), and now they'll have to add a nameserver cluster...all this for questionable revenue and a lot of bad blood in the community. The more expensive we make this, the less likely it is to happen.

I'm also secretly hoping that Paul Vixie & co will figure out a way to filter that step, once it comes to it.

By the way, this sort of arms race of action-filter is exactly what ICANN is terrified of. The last thing they want to see is an all-out war over the DNS...it causes instability. This is why it's at least somewhat likely that ICANN will stop Verisign. I can't guarantee that they will act, but they *really* don't want to see an arms race occur.

Re:Why is a profit-company in such a central role?

[Anonymous Coward]

The parent poster never suggested fixing the .com domains. He was merely refering to the grandparent posting asking how this for-profit company got so much power. If people formed communities by saying "hey, let's all use some nonprofit's domain naming system instead", Verisign's power would be lessened.

Sure, they could still trash .com, but who would care?

Alternative root servers

[RAMMS+EIN]

Would using alternative root servert also allow domains with just one part? E.g. slashdot instead of slashdot.org?

I find the TLDs a bit silly, since the general purpose ones lost much of their meaning (commercial websites have .org or .net TLDs), they are confusing (is the site for this norwegian company .no or .com?), most sites will want to have .com anyway, as it is sort of the de facto standard one, etc. So why don't we just dispose of the TLD, and the hostname, and call the website slashdot instead of slashdot.org?

Re:Why is a profit-company in such a central role?

[RAMMS+EIN]

``While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are.''

I do not oppose to Sitefinder alone, but to VeriSign as a whole. I think it's a Bad Thing to have a corporation in such a dominant position. I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!

Re:You would think...

[orthogonal]

...that they would learn from past mistakes. But no, of course not.

They have.

What they've learned is that outrage, like everything else, is a limited quantity.

You and I can't spend afford eight hours a day, five days a week to watch and warn against Verisign.

We have other things to worry about: Belkin using routers to spam, New York's Livingston County Social Services Commission letting confidential data get posted on the web, Johm Ashcroft eviscerating the Bill of Rights.

But Verisign can trigger our outrage the first time around, back down in the face of our massed complaints, and then, like a spider in its hole, wait patiently until the time is ripe to strike again.

Just like the Department of Justice and the proposed "Patriot II" law; they withdrew it after furious opposition, wait a while, and then got key provisions passed after everyone had relaxed.

Verisign is banking that each time around, they'll be a few less people able or willing to work up any outrage, until only a small minority objects -- a small minority that can be derided with a dismissive comment about "tin foil hats".

This is why we need organizations like the EFF and EPIC (and the ACLU): so the we have someone in out corner who, like a Verisign employee, is paid five days a week to watch for and counter these outrages.

Re:VeriSign Poll

[beuges]

I know you were trolling, but anyways...

Actually, it makes sense to me that 84% of _users_ would not find it controversial, because typically, users wouldn't know or care about the implications that this will have behind the scenes. Now if Verisign was to quote the percentage of developers, administrators, and people who actually know what a bad thing this is, you'd have a more realistic figure.

Mihh

[BenBenBen]

Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.

So, to paraphrase, it'll be hard to convince the public that SiteFinder is any good, becuase the people who say it's useless and buggers up the internet know what they're talking about.

I *heart* corporate thinking.

The Internet is NOT the Web!

[RGautier]

The Internet is a connected suite of protocols that work off of a similar top layer of technology, permitting multiple types of information transfer. Granted, the WWW, being the kick-ass application it is, is a very large part of this. However, what people ALWAYS fail to realize is that Electronic Mail, FTP, SSH, Telnet, Internet Gaming, X-Windows, ICQ, AIM, and every other Internet program under the sun utilizes DNS to try to get where it's going. When Verisign turns on its crappy service, what happens is that every OTHER program that relies on host names will be SCREWED UP. Why? Because instead of an error message that says you are trying to access a host that doesn't exist, you'll get a message that is much more similar to the fact that the host is unavailable! That means when you send an email message to dumbshit@verisiggn.com by mistake, instead of getting a response back immediately that you typed in a bad address, your message will sit in a queue for 3 days, and then you'll get an error message saying that your recipient couldn't be reached. This will cause you to contact your system administrator, and waste hours of his time, and time at other remote administrators because no one will catch the typo until after they've exhausted all the possible reasons your mail systems cannot talk to each other. System Admins RELY on error messages that make sense. When those are absent, answering user questions of 'It doesn't work - fix it' is VERY VERY DIFFICULT. This message is just for those of you who appear to not have a clue just how much frustration this causes, and who think that this makes even a modicum of sense to do.

Technologists and Public Relations Wars

[ReadParse]

Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.

Come again? Since when are "highly regarded technologists" given a second thought by the average user? Their thinking is...

"Let's see... www dot... oh, I hate these computers... where's the g? hootmaail.como... there! Wait, that's not my mail. This is... uh... oh yeah, silly me. I spelled it wrong. Yes, that's the one I want... I'll that... wait... online dry cleaning... I need THAT."

And that is the END of the thought process. They don't think about whether or not it's a helpful service unless a surveyor puts a gun to their head and makes them commit one way or the other. They certainly don't think about asking the "highly regarded technologists".

Re:capitalism at its best...Well Monopoly...

[ReaperOfSouls]

I know this is troll bait, but I will bite.

Capitalism works on the premise of competition. Because they are the sole athoritative root for all .com/.biz domains, they have been given a monopoly. No other company can do this since they don't control the athoritative root for those domains.

Beyond that it fundementally changes the way the internet works to the benifit of a single company. This is very anticompetitive.

If I were a shareholder, I would tell them to drop all of its plans for site finder since eventually it will lead to a loss of all of its domain registration revenues.

Interview with Stratton Sclavos, he's the devil

[hqm]

There is an interview with Stratton Sclavos,CEO of Verisign, at http://news.com.com/2008-7347-5092590.html.

SclavosThe reason Site Finder became such a lightening rod is that it goes to the question of are we going to be in a position to do innovation on this infrastructure or are we going to be locked into obsolete thinking that the DNS was never intended to do anything other than what it was originally supposed to do?

Q:Still, a lot of people in the Internet community were quite surprised by Site Finder--and then you had complaints surfacing that it was not complying to approved standards.

Sclavos:Let's break the argument down: The claim that Site Finder was nonstandard and that we should have informed the community we were doing something nonstandard--excuse me: Site Finder is completely standards-compliant to standards that have been out and published by the IETF (Internet Engineering Task Force) for years. That's just a misnomer. The IAB (Internet Architecture Board) in its review of Site Finder said the very same thing--that VeriSign was adhering to standards.

His definition of "standards-compliant" is a cynical and deceptive one. Sure, the SiteFinder is complying with the standard, in that it is returning well formatted packets. However the content of those packets are lies. They are lying by saying that domains exist when they do not, in order to fool web browsers into loading the commercial content that Verisign wants to get to web surfers.

It is analogous to saying that if I put a detour sign in the middle of the freeway to direct traffic to my shopping mall, that I am obeying the traffic sign protocols.

The comment about "ninety-nine percent of the traffic is pure HTTP" is a shorthand way to sum up why it is not possible to communicate with Verisign's executives, and why they must be stopped and soon.

Because it wouldn't matter if one hundred percent of the traffic on the internet were HTTP, it still is not a reason to break DNS in order to insert advertising. The "service" they claim to be providing should be provided by the browsers, giving everyone a chance to implement their own solution to the problem of mistyped domain names. Then many possible solutions to this issue can be innovated. By breaking DNS to lie about the existence of domain names, they actually prevent anybody else from providing any solution. This is the exact opposite of innovation. And they are smart people at Verisign, they clearly and obviously know all this, and yet they are lying to every one about it. And that, in a nutshell is what makes me more furious about this than any other Internet legal issue has in a long long time, maybe ever, or at least since Network Solutions took the .com database offline and made it their own private property.

There was a story I heard once, about a company (Novell ?) which implemented their own file transfer protocol over the network. They did not use exponential backoff on retransmit, which made their protocol look much faster than TCP/IP. It would in fact hog all the bandwidth, bumping out all the more polite and well behaved protocols. This was great for them, but in fact as the network approached saturation, the system would fail catastrophically, for reasons obvious to Internet protocol designers.

At some meta-level, this is what is happening to the Internet itself now. Verisign is itself like the bad protocol, which does not play well with others. It is taking advantage of an opportunity which gives it a short term advantage, while degrading the entire network protocol infrastructure.

Re:Why is a profit-company in such a central role?

[zerocool^]

From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.


Except for things like this:

Option 1 -
MailServer: "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, so I'm gonna go ahead and reject that spam."

Option 2 -
MailServer "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, it exists, let's look it up by IP to make sure it actually is the domain you're from... nslookup IP... ok, I'm going to go ahead and reject this, and either stop sending spam, or configure your reverse zones".

Option 3 -
MailServer: "OK, you sent this, I'm going to check and see if you're valid... nslookup domain... nslookup IP... fantastic! Welcome to my humble abode, and don't worry about that mail, it's been taken care of".

Or, with SiteFinder, Option 4 -
MailServer: "I hate my life. Are you a valid domain? Yes? No? I don't care, I'm barely here. My existance is meaningless, my spirit is broken. I think I'm going to cat /dev/urandom to a file for a while."

~Will

Re:Fine, if it's within your control

[Lev_Arris]

This would actually be a bad 'solution' if you consider how SMTP mail sending operates. Currently, mails sent to an inexistent domain will bounce immediately at the bogus SMTP server they set up. If you were to route the traffic in a way that prevents access, your mail would get stuck in the queue and your server would keep retrying several times before giving up and notifying you of the failure.

Better solution is to patch your DNS server to return NXDOMAIN instead of sitefinder's IP(s) (the way it should be(TM) ).

Re:Proof that some people never learn

[dazed-n-confused]

Why would spammers want to hurt VeriSlime?

Innovation in the core?

[kindbud]

I say no. That the core is dumb is one of the reasons the internet is available to everyone. That the core is dumb is one of the reasons it is so reslient. That the core is dumb is the reason we can assign stewardship - not ownership - to Verisign, and yank it away from them when they misstep.

Keep the core dumb. No innovation is necessary or wanted.

Re:Interview with Stratton Sclavos, he's the devil

[bluGill]

I've worked with file transfer protocols that didn't use backoff. However they required someone configure the maximum bandwidth they could use, and assumed a leased line. Sure you were running over IP, but you had dedicated bandwidth.

In the case of high latency links (think geosynchronous satelites) the standard TCP implimentations do not have a big enough window to saterate a link. If you bought a link with guaranteed bandwidth with an application in mind that needed that much, you need to write your won protocol. Sure you could modify TCP, but that means you need to check if you are on the dedicated line, or the standard network.

Running such a protocol on the internet is impolite and a bad idea. Running it on lines you own is a much different matter.

This is simply theft by an "employee".

[argent]

Sitefinder is like discovering your receptionist has decided to redirect all wrong phone numbers to her cousin's "dial-a-psychic" service, and the janitor's been putting ads for his brother's body shop on everyone's desk.

Verisign doesn't own the "product" they're selling, they're just operating it for ICANN. This is no more a legitimate business than, oh, the original Napster was.

Re:Why is a profit-company in such a central role?

[dubl-u]

I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!

I don't know if you've been inside one, but it turns out corporations are made up of people. And it's a crazy thing, but so are governments. Everywhere you look, it's people, people, people. And as far as I can tell, none of 'em are perfect.

The problem isn't corporations as such; it's ICANN giving control of the big TLDs without sufficient oversight. Outsourcing the operation makes sense, but allowing Verisign to do whatever they please doesn't. ICANN should be making sure that none of their vendors are doing stuff that harms the internet, outrages the people who make it go, or inconveniences the zillions of people who rely on it.

Whether it's a coroporation or a government department doing the work, you still need oversight, and that seems lacking here.

Spam-harvester traps also hit Sitefinder.

[billstewart]

If you want to have fun annoying spammers, one of the popular methods is to leave attractive-nuisance email addresses around on your web pages (or use CGI scripts that generate lots of these things.) If those addresses are at bogus domains, the spammers or the proxies or zombies they're abusing will do DNS queries, and if Verisign is giving them Sitefinder's IP address, they'll set up SMTP connections to Sitefinder's email-stub server instead of just dropping the connection. This makes it harder for the spamware to detect the trap and annoys Sitefinder.

A DDOSer who wanted to annoy Sitefinder could do random downloads from their site, and unless they've improved on the original Sitefinder, those downloads are 17KB of singing dancing Javascript instead of ~1KB of simple clean html text. If this has a big enough impact on Sitefinder's bandwidth cost, it will encourage them to provide simple clean html instead of their current potentially-dangerous dreck.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

If it's going to do this, it should pop up a dialog the first time, explaining what it's doing, and give you the chance to turn it off right then and there.

.kids versus .porn/.sex/.xxx

[TWX]

"Remember, these are the guys that think a "dot porn" and a "dot kids" TLD will actually fix anything."

I disagree with you to a point on the lack of merit to this idea. I think that a .kids or .students or some form of TLD that is managed would work well, especially if it were handled right. Right now, school districts are forced to try to filter the whole Internet to prevent pornographic materials (and I'm not talking art, I'm talking Tawnee Stone, god bless her soul:) from being easily accessible. If a heavily restricted .kids or .elem or the like domain were created, schools could trust the content of the domain. It'd be similar to the .museum domain. An organizational body could punish or retract domains based on abuses, and the body could work to establish actual guidelines for acceptibility. Granted, it'd be just as political as anything else bodies do, but at least there'd be a chance for it to work right.

The trouble with trying to make porn domains is that states could enact laws that prohibit ISPs from allowing traffic to sites that are so easily identified, which would be censorship. It would also be difficult to get pornographers to make use of the domain anyway, since a lot of content mirrored isn't exactly staying within copyright guidelines, and I would imagine that someone engaging in copyright violations wouldn't want to make themselves stand out that clearly.

Re:.kids versus .porn/.sex/.xxx

[NoMoreNicksLeft]

And everything a kid could reasonably want would be included in this .kids domain?

Hardly, dotcom sits would dwarf that TLD 10,000 to 1. So the kid still has to beg to get access to the site he needs to be able to do a essay. No help there. A .kids TLD (if the only one they're allowed to use) is the same thing as restricting them from the internet entirely. At that point, you might as well talk about creating a seperate K-12 internet strictly for school use.. while not qualitatively different from a .kids TLD, it at least is a bit more clear and honest what is happening.

Re:Proof that some people never learn

[Zeinfeld]

Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

It happens every day, the number of recorded DoS attacks against the core DNS is over 1000. There are DDoS attacks happening on a regular basis.

MyDoom only took out SCO because they had a DNS server on a T1 link. It did not come close to taking out Microsoft.