Verisign Considers Restarting Sitefinder

Rosco P. Coltrane writes "The Washington Post reports that VeriSign is considering reviving its infamous search engine. 'Site Finder was not controversial with users' says VeriSign's Tom Galvin, and VeriSign 'assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems.' Such as leaving the DNS service alone for example?"

Why is a profit-company in such a central role?

[ggvaidya]

This is .org and .com! When does Verisign's lease expire? Can ICANN turn over the license to someone else?

You would think...

[TehHustler]

...that they would learn from past mistakes. But no, of course not.

The problem is, are ICANN going to back down this time and let it slide, or are they going to continue to give Verisign hell over this, and pressure them, as they should definitely do?

Are we likely to see another backlash from users and network admins?

And will there be the same sort of media coverage that basically gave Verisign quite a bad bit of PR for 2 weeks.

It seems like they have sneaked this out again with the minimal amount of fanfare in an attempt to try and stifle the opposition, but when you have so many people mistyping domains everyday, you cant really expect it to go unnoticed and not to piss people off.

the sooner

[narkotix]

they take .com and .net out of verisign's hands the better. Its just unfortunate that this will misinform new people AND generate more needless traffic because of the returned page. Did the search page ever have preferences to certain websites? or was it truly independent? If i typed in server software would it bring up xxx penis extensions because some idiot put in metatags or would it bring up true results?

Re:Why is a profit-company in such a central role?

[ron_ivi]

Because people let them. If more people pointed to alternative [open-rsc.org] root servers [adns.net], they wouldn't have as much power.

Re:And microsoft does this anyway to all windows u

[twoshortplanks]

The complete wrongness of the way Verisign are going about it aside, I don't see why getting a search engine when you enter an incorrect domain is a bad thing in your web browser. I'd argue it's a feature. Sure, it could be a bit better labeled, but it's not like you were going to see anything else of use, was it?

Take a wild guess?!

[Killjoy_NL]

Come on I dare ya.

Guess which site is the next potential target for the MyDoom virus??

Re:capitalism at its best...

[Anonymous Coward]

If I were a shareholder, I wouldn't ask them to do this at all. Sure, it may boost short-term profits for them, but in the long-term, it could cause consumer rebellion against them and the revenue lost would probably far outweigh the short-term benefit. You can just look at the slashdot community and say that it could be potentially disastrous in the long-run. Sure, this community is a small subsection of the population, but these people are the gatekeepers for many aspects of the technological world and if you piss the gatekeepers off, all hell breaks loose.

when is DDOS not a DDOS ?

[mr_walrus]

can someone be blamed for doing a denial of service
to a site that Does Not Exist ?

how about some scripts to pump out requests to a fairly
limited set of known to be Non-Existent domains...

could this possibly cause an interesting burden on Verishit's servers?

would the name lookups themselves affect DNS too badly to
cause innocent collateral damage? i'd hope caching of a limited
set of non-existent names would avoid much dns load.

just curious, academic musing and all that...

It very well might be.

[demonic-halo]

Remember the times when microsoft and SCO had to change their web address to side step being attacked by DDOS for various worms?

If site finder goes up.. All falied DDOS going to old domain names will end up taking those attacks. Guess verisign will be the official decoy for outdated worms. =)

Troubleshooting

[justinmc]

I don't know about you guys, but this made troubleshooting a pain for me. Me: you are not able to access the server? User: But I can ping it??? Me:Is it giving back (Sitefinder IP - can't remember it) User: Yes - it is responding, why can't I access it???? Me: Well you see, DNS works by... User: I don't care, fix it Me: But........

Re:It very well might be.

[irc.goatse.cx troll]

I had a similar idea... I'd like to see a worm just start hitting random domains, just a GET request to http://akljfhaksjdfhaskldh.net, maybe 2 every 10 seconds or other such interval. Not only would you hammer sitefinder, you'd fill isp caches causing them to take notice and block the sitefinder trash. ..not that I'm conding anything like this..

Well...

[i_am_syco]

Am I the only one here who actually thought SiteFinder was good? I mean, quite a few times, if I was typing in a domain, like say Homestarrunner.com, and I misspelled it, I'd get a "no server found" error, have to go back into the URL and try and figure out where I screwed up. Not exactly a challenge, but still annoying. With SiteFinder, I just have to click the link that popped up. And it always popped up.

Re:That is pure evil.

[twistedcubic]

Indeed, it's evil, but if Verisign makes it trivial to DoS the entire internet, then SiteFinder is probably not a good idea.

Re:Why is a profit-company in such a central role?

[BiggerIsBetter]

If they go ahead with this, I suspect we will find out...

On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

it's not a lie if there is a grain of truth to it

[Tom]

"Site Finder was not controversial with users"

Hm, let's see:

a) Right. It just was extremely controversial with those who didn't use it (i.e. everyone else, like 99% of the Internet users)

b) Right, it wasn't controversial. Everyone agreed that it's a bloody fucking stupid thing.

c) Right, it wasn't the Sitefinder page itself that we all hated, it was Verisigns "bend over, here we come" attitude of forcing it on everyone, whether they wanted to or not.

Now that's three ways how he's saying the truth. Can't really argue with that, can you?

Sitefinder breach of contract with ICANN?

[blorg]

Verisign only operate .com and .net under contract from ICANN. Surely they can be prevented from relaunching Sitefinder under purely contractual grounds - previously ICANN was much against Sitefinder and threatened to sue [icannwatch.org], quoting breach of contract [icann.org]:

"The contractual inconsistencies include, violation of the Code of Conduct and equal access obligations agreed to by VeriSign, failure to comply with the obligation to act as a neutral registry service provider, failure to comply with the Registry-Registrar Protocol, failure to comply with domain registration limitations, and provision of an unauthorized Registry Service."

Re:And microsoft does this anyway to all windows u

[jimhill]

You do know that there's a lot more to the Net than the Web, right? And that having a website returned instead of the spec-ordered "No such domain" when you're using a different Net scheme (like email, or chat, or good ol' gopher) is fundamentally Wrong. If the Web were a distinct thing that had its own DNS then I doubt many would be grousing, save those whose profits just got diverted into VeriSlime's ShiteFinder pockets.

ObInsult: Ya Jughead!

Re:Fine, if it's within your control

[TyrranzzX]

I often ask myself "what would be the most elegant solution to this problem?". To this, I believe the best elegant solution would be to simply blacklist verisign on your routers and add a static route translating their ip address to one that won't route, like 255.255.255.255 or 192.168.1.1. YOu can also use ACL's to accomplish the same, or firewalls.

As for error generation, if you've got DNS redirection on your router (like on my cisco I can tell it to take one DNS name and rediect it to another, or take on IP and redirect it to a DNS name), you can redirect the DNS name to a fictional one, like

"www.this.dns.name.doesn't.exist.net.com.org.bleg. ARGH"

For those of you who don't have pretty routers, use the windows hosts file to do the same with DNS and IP redirection on your boxen.

I'v got a feeling that if enough admins and ISP's blacklist their domain, they'll either get the message, or start trying to change IP's and whatnot. Inwhich case I believe ICANN will get real pissed at them dodging our blacklist for buisness.

Let them.

[Stormbringer]

The annoyance factor and the outrage will be big pushes for the OpenDNS idea, especially once the cc people wise up and get on board to stop the extortion.

Maybe ICANN won't notice as everybody migrates away from their little empire of root servers until everybody's already used to the idea; that will eliminate the 'single point of political failure'.

Verisign is busy proving all over again that FLOSS has been demonstrating: when it comes to the Internet, the only people you can trust are everybody.

Re:Proof that some people never learn

[AKnightCowboy]

If it is put back in place, then the backlash will no doubt force them to take it down again.

Wow, and I was just starting to forget about how much I vehemently hated Verisign. It's always good when a company reminds you every once in awhile why you believe they're completely evil.

Just a reminder to the DNS admins:

zone "com" {
type delegation-only;
};

zone "net" {
type delegation-only;
};

Re:Proof that some people never learn

[lspd]

Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

Not that I'm suggesting anything.

Re:Alternative root servers

[0x0d0a]

Because then you would have massive numbers of name collisions between names like foo.net and foo and foo.bar, etc.

Futhermore, the administrative structure of DNS is also based on the hierarchy, and having a flat name system would cause all kinds of issues.

This would also prvent the introduction of new TLDs for fear of a name collision with the TLD itself.

*Finally*, why would we alias *.com to a TLD? Folks in, say, the UK, might prefer *.co.uk.

If you want "slashdot" to resolve to "slashdot.org", you can add it to your hosts file and get the effect without causing massive network problems.

Re:Isn't there anything we can do?

[platipusrc]

why doesn't everyone just start domain arbitration proceedings for all of the matched domains that are very similar to the ones they already have? Since Verisign will basically typo-squat all domains in existance, there should be quite a few domains that could be sued over.

Problem caused by sitefinder the first time around

[McVerne]

Thought I'd share a real life example of sitefinder causing non-trivial trouble with something.

After sitefinder was originaly turned on, a number of players of an certain game were crashing when they entered the game's online matchmaking lobby.

Why?

The MOTD for the game was retrieved from a webserver and copied into a fixed length buffer before being shown.

At some point in the past the game's publisher started redirecting all requests to the webserver that had the MOTD page to another, much larger in size, page. Which overflowed the buffer and crashed the game.

One of the players decided to do something about it while waiting for things to be put back to the way they were. They modified one of the game files with a hex editor, munging the domain name to a non-existing one, and distributed the modified file to a number of other players.

This stopped the crashing, until months later, long after the company fixed the MOTD page, when sitefinder came along. Then the munged domain suddenly started serving up pages, and again the game was crashing.

Now granted, the problem was 100% a result of bugs in the game, but it was still triggered by sitefinder.

Makes me wonder how many other programs are out there with similar bugs.

--McVerne

Re:Why is a profit-company in such a central role?

[_Sprocket_]

On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

I agree with the general idea. A company who resorts to this kind of behavior is hardly someone that can be trusted. This mindset affects their DNS operations today. What other areas of their business are next?

Having said that - who is a suitable sub (it's not Thawte)?

Re:Proof that some people never learn

[dotwaffle]

Look at it this way - we now have a cast iron case for making the Internet core facilties like DNS a non-profit zone, probably nationalising them under the US (I'm a Brit and I'd prefer this to it being corporate) scheme of doing things, or giving control to the UN. Maybe it's about time we saw the US taking up .us domains too... The overwhelming majority of .com's and .net's are in the US, while most UK addresses are in .uk so maybe this new organisational body would eduacte on the benefits of having segregated internet addresses...

Re:Proof that some people never learn

[Anonymous Coward]

synthesising a pair of NS records for every non-existant domain rather than using wildcards.

Methinks you overestimate the storage available to them.

IIRC, domain names can be up to 63 bytes in length - even limiting yourself to case-less alphanumerics, that's 36^62 combinations - or slightly over 3 yotta yotta yotta yotta bytes (that's 3 with 96 zeores on the end.) That's the equivalent of about 87 octillion 100GB hard drives.

And that's just for one TLD (so double it for .com and .net.)

Re:Well...

[Anonymous Coward]

I hadn't thought about SSH. What if you're trying to SSH to example.com and instead type in ssh exampl3.com? Could Verisign respond with a prompt that says "login" and then get your username and password, if they felt like it? It would be a relatively simple matter to guess what you were trying to reach - could they turn around and ssh into your account?

Re:Alternative root servers

[gid13]

"If you want "slashdot" to resolve to "slashdot.org", you can add it to your hosts file"

Or you can just use Firefox. No fuss, albeit a slight delay.

Re:Well...

[pclminion]

Could Verisign respond with a prompt that says "login" and then get your username and password, if they felt like it?

No. The username and password are authenticated by a cryptographic challenge. The password is never sent over the channel, in encrypted form or otherwise. It's a mathematical challenge protocol which only works if both sides already know what the correct password is.

It's impossible to set up a "fake" ssh server and steal people's passwords. This was one of the design points of ssh (and any other cryptographic service worth its salt).