September 24, 2003

The Verisign Typo Crisis

Michael Froomkin writes about the Verisign typo crisis:

Discourse.net: Sitefinder: The Biggest Internet Crisis You May Never Have Heard Of: Last week, VeriSign, the people who run the .com registry (the big data file that has all the .com registration data in it), unilaterally decided to change the way the most-traveled portion of the Internet works for most people. Until then, if you typed in a .com domain name that didn't exist, you would get an error message. Unless, of course, you were an MSN or AOL subscriber, in which case you would get a custom web page they each designed, and which included some ads from folks who thought that they might profit from common misspellings.

Well, VeriSign saw a profit opportunity, and it decided to eat AOL's and MSN's and everyone else's lunch by introducing its "Sitefinder" service. In the new .com, every browser typo, every attempt to load up (the technical term is "resolve") a domain that didn't actually exist, leads you to special pages designed and owned by VeriSign--and on which we are all invited to buy tailored advertising. [Sitefinder, incidentally, has the most unintentionally hilarious terms of service I have ever seen : a web page you go to by accident, and only because VeriSign made you, links to the adhesive assertion that "By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference." But I digress.]

Naturally, MSN and AOL are unhappy. But the technical community is furious. The web is not the whole Internet, and there are many other Internet tools that rely on getting the standard error message when a domain does not resolve properly. VeriSign's change threatened to break all those applications. [There are a lot of ccTLDs (national top-level domains like .ph) and one gTLD (.museum) that already do the same thing. But they are almost all very low volume, and their users were--in the main--forewarned before they registered their domains.]

The technical community responded by coding up changes to BIND, the dominant software for translating domain names into the Internet Protocol numbers that actually do the real work of identifying where the content you want is to be found, and telling the computer that has it how to find you. These changes essentially overtrump the VeriSign change. But fixes like this take time to deploy and propagate. It would be much tidier if VeriSign could be persuaded to put the cat back in the bag...

To me the most interesting thing is that the "sovereign power" here appears to be the group of people called the Internet Software Consortium--the people who patched the BIND program (the Berkeley Internet Name Daemon). As their patch spreads and is rolled into future update releases of BIND, Verisign's play will drop into insignificance. The declaration that Verisign's attempt to snarf more advertising revenue (and (perhaps) give people a more informative screen than "domain not found") is illegal was made by a bunch of techies in the form of "Due to high demand from our users, ISC is releasing a patch for BIND to support the declaration of 'delegation-only' zones in caching/recursive name servers."

Posted by DeLong at September 24, 2003 10:37 PM | TrackBack

Comments

Not quite so simple, I'm afraid to say...

DNS patching is not a good complete solution, as now different sites experience different behavior, with some getting verisign and some getting the correct error code.

Worse, this is an arms-race condition, where verisign can start tweaking their wildcard to resist the anti-sitefinder patches. Far better to big-stick: ICANN suing for $40^64 (approximatly the amount owed for registering all possible domain names), the contract with ICANN being broken, the Bush Department of Commerce finding the missing backbone supply...

Technical means can't solve this gross abuse by verisign, they can only mitigate it for some users in some cases.

Posted by: Nicholas Weaver on September 25, 2003 12:50 AM

Also the ISC is only facilitating, they don't have amicrosoft like autopatch scheme.

Posted by: Jack on September 25, 2003 01:22 AM

you mean the internet now has a name daemon? wow! that's way beyond artificial intelligence!

Posted by: john c. halasz on September 25, 2003 05:49 AM

I get a mental image of a small and greedy kid trying to steal the lunch from a taller kid, who is calmly holding his lunch up higher and looking around for some authority figure to come remove this nuisance.

Posted by: Ben Vollmayr-Lee on September 25, 2003 06:24 AM

I get a mental image of a small and greedy kid trying to steal the lunch from a taller kid, who is calmly holding his lunch up higher and looking around for some authority figure to come remove this nuisance.

Posted by: Ben Vollmayr-Lee on September 25, 2003 06:29 AM

I get a mental image of a small and greedy kid trying to steal the lunch from a taller kid, who is calmly holding his lunch up higher and looking around for some authority figure to come remove this nuisance.

Posted by: Ben Vollmayr-Lee on September 25, 2003 06:34 AM

Now I've finally been bitten by Brad's multiple post bug. Seems to happen when the post takes ages to upload and you go surf elsewhere meanwhile.

Posted by: Ben Vollmayr-Lee on September 25, 2003 06:38 AM

Just a note about the multiple-post thing: I tend to avoid it (although I think I've had a duplicated post a couple of times) by simply waiting about five or ten seconds, and then closing the window without waiting for it. And I just highlight and copy the text, in case.

Posted by: Keith M Ellis on September 25, 2003 07:34 AM

"Berkeley Internet Name Daemon"

Not Stanford Internet Name Daemon.

Please take note.

Posted by: Tom on September 25, 2003 10:01 AM

A BIND fix is nice, but the problem is still there. For one thing, not everyone uses BIND -- Microsoft has a substantial server presence.

Posted by: Mike Kozlowski on September 25, 2003 03:31 PM

Maybe it was all started by MS. Shatter all of the standards, and who's left?

Posted by: Barry on September 25, 2003 07:13 PM

Oddly enough, some of this problem comes out of the popular anti-governmentalism. Verisign and ICANN gained control of the internet largely because of the widespread belief among the informal co-operative which managed the internet that the internet did not need any formally organized governing bodies. When it was found that, in fact, some organization was needed, they had nothing to offer, and the gummint stepped in. At the very least, it seems to me, the global management functions would best be operated through the International Telecommunications Union (,">http://www.itu.int>, or better still through some democratic international body.

Posted by: Randolph Fritz on September 27, 2003 01:01 PM
Post a comment