Committee Charges That VeriSign Weakens Web

SiteFinder raises more questions and ire of Internet community. Advisory group expresses concerns about broader implications of VeriSign's redirection service.

The Internet today is weaker than it was a week ago, according to an Internet advisory group.

The culprit is SiteFinder, VeriSign Inc.s move to redirect mistyped and nonexistent domain names, said representatives of an Internet Corporation for Assigned Names and Numbers (ICANN) advisory committee on Monday. The group said VeriSigns service was undermining the stability of the Internet.

"VeriSigns change appears to have considerably weakened the stability of the Internet, introduced ambiguous and inaccurate responses in the DNS (Domain Name System) and has caused an escalating chain reaction of measures and countermeasures that contribute to further instability," ICANNs Security and Stability Advisory Committee wrote in a statement.

The committee reaffirmed ICANNs call for VeriSign to suspend its SiteFinder service launched last week and participate in a review of its impact. However, VeriSign officials earlier that day rebuffed calls to stop the service. The committee also recommended that ICAAN consider its procedures to prevent sudden changes like VeriSigns redirect service and that the Internet Architecture Board and the Internet Engineering Task Force reexamine DNS specifications.

The ICANN committee issued its analysis and recommendations as the pressure mounts on VeriSign over SiteFinder. Also on Monday, a second lawsuit was filed against the Mountain View, Calif., company over the redirect service. ICANN registrar Go Daddy Software Inc., in a lawsuit filed in an Arizona federal court, is seeking an injunction against SiteFinder and claims that VeriSign is misusing its position as the domain registry for .com and .net.

SiteFinder redirects Web surfers to a VeriSign Web site when they mistype a Web address or enter a nonexistent one in the .com and .net domains. At the same time, ICANNs Security and Stability Advisory Committee found that the scheme also has interfered with other applications and services that rely on the DNS.

The problem originates within the DNS protocol specification itself. A query to the DNS with an incorrect or nonexistent domain name normally returns an error message, which on a Web browser typically appears as a "page not found" error. SiteFinder instead makes it appear to a requesting server that a domain name exists since it is redirected to a VeriSign server.

The problem extends to e-mail, where servers also must query the DNS. Where once an error message would have been returned saying that the domain does not exist, now e-mail often is just bounced back as if access were simply denied, said Steve Crocker, chair of the ICANN committee.

The change can undermine anti-spam software and services. Often, spam filters will first check whether the originating domain name an e-mail even exists. Even a non-registered domain name would now appear to exist since the query would bounce from VeriSigns server, Crocker explained.

"Were tinkering with some basic plumbing here, so when you veer away from simplicity ... then things can get complicated and can fall apart," he said.

The committee has set up an e-mailbox to accept reports of security and stability problems arising from VeriSigns change. It also plans to hold a public meeting on Oct. 7 in Washington, D.C. on the issue.

For many relying on the Internets core protocols such as DNS, VeriSign is setting a dangerous course. Bill Woodcock, research director at not-for-profit research institute Packet Clearing House, said that VeriSigns SiteFinder, which includes advertised links along with search results, is harmful for the Internet.

"They are advertising at everyone elses expense and have destroyed Internet functionality that everyone is depending upon in order to advertise," he said.

Beyond the redirecting of traffic, VeriSigns move also is leading to countermeasures that further complicate the situation, Crocker said. The Internet Software Consortium last week released a patch to its Berkeley Internet Name Domain (BIND) software to block SiteFinder. In addition, some Internet Service Providers also are changing routing for certain Web addresses to avoid VeriSigns service. (For more information see Developer Moves to Neutralize Web Helper.)

Discuss this in the eWEEK forum.