WASHINGTON - VeriSign Inc.'s Site Finder service has caused problems with the way some e-mail and other Web applications function
and collected more information about Web surfers than some other services designed to redirect mistyped URLs (uniform resource
locators), critics of the new Web search site said Tuesday.
Those raising objections to Site Finder at a meeting of the Internet Corporation for Assigned Names and Numbers' (ICANN) Security
and Stability Advisory Committee in Washington, D.C., raised several technical concerns about the service, including it not
working with some Internet protocols, including HTTPS (Hypertext Transfer Protocol-Secure), which indicates that a site uses
SSL (Secure Sockets Layer), and FTP (File Transfer Protocol).
Site Finder, launched Sept. 15 and shut down this past weekend at the request of ICANN, redirected Internet users who mistyped
a URL to a search page that suggested possible matches for the mistyped Web sites. Before Site Finder, Web users would get
an error message or a similar search page from vendors such as Microsoft Corp.'s MSN.
Site Finder centralized the URL search function in the .com and .net domains into VeriSign's servers instead of the largely
decentralized approach, said David Schairer, vice president of software engineering of Reston, Virginia, Internet service
provider (ISP) XO Communications Inc. "The Site Finder has basically made itself a prestige target," Schairer said. "It's
very likely to be attacked, and we need to understand clearly what will occur if that happens."
But VeriSign has a "proven track record" of security, countered Scott Hollenbeck, director of technology for the company.
"As an example, I offer up the 100 percent up time that we've demonstrated on the .com and .net name servers over the past
six years," he said. "We probably invest more in that infrastructure than any other registry operator."
VeriSign's launch of the service sparked a flurry of criticism that the company was trying to use its control of the .com
and .net domains to dominate the Web search market. The launch of Site Finder also caused problems for some e-mail programs
and SMTP (Simple Mail Transfer Protocol) servers, as the applications or servers didn't receive traditional error messages,
Schairer said. An extra step that e-mail servers would have to take to confirm nonexistent domains would use more server resources
and cause delays in response times to users, he said.
If continued, Site Finder would drive up the support costs of vendors for those applications, he said, comparing this "tax"
on vendors to a small version of the costs of fixing the Y2K bug.
But VeriSign officials said they plan to include an addition to Site Finder that will resolve most e-mail issues. They said
they are monitoring critiques from the technical community and have launched a technical review panel that includes company
outsiders to address concerns being raised about the service. They also questioned Schairer's observations about the effects
of Site Finder, saying he should provide them harder statistics on the problems.
Asked why VeriSign did not alert ICANN and Internet standards bodies more than a few days before it launched Site Finder,
Chuck Gomes, vice president of the VeriSign Com Net Registry, said the company wasn't sure how to describe its plans to launch
the new service without exposing trade secrets to potential competitors.
"We want to be good citizens," Gomes said. "We did extensive testing ... but we want to work with the community to develop
best practices for this in the future."
Another critic raised concerns about the way ISPs and programmers were creating workarounds to the Site Finder service. Some
ISPs launched their own search services with the attitude of "VeriSign did it, why can't we?" said Paul Vixie, president of
the Internet Software Consortium. The result of the launch of Site Finder was a spike in visitors to VeriSign's own Web site
and a drop in visitors to MSN's search page, Vixie said.
Some ISPs launched their own Web search pages, complete with advertising, and redirected mistyped URLs from their users, Vixie
said. "This is going down the slippery slope toward instability," he added. "The total result of this is growing (domain name
server) incoherence ... and that's not a direction I'd like to see us go in."
On top of the technical and security concerns, the stated topic of the ICANN committee meeting, Boston privacy consultant
Richard M. Smith raised privacy concerns about Site Finder. The service collected the full mistyped URLs, Smith said, and
VeriSign shared the information with marketing research company Omniture Inc. In the case of misdirected e-mail, Site Finder
collected both the sending and receiving e-mail addresses, Smith said, and Site Finder could have collected the text of those
e-mail messages if VeriSign had wanted to.
If an Internet user had bookmarked a Web form URL that no longer existed, Site Finder could capture all the information in
the Web form, such as names, addresses and credit card numbers, before telling the user the page no longer exists, Smith added.
VeriSign will not keep the data from users that Site Finder uses to point Internet users to existing Web sites, Hollenbeck
said. "I can emphatically say that VeriSign is not collecting or retaining any data," he said.
VeriSign could accomplish the goal of giving Internet users more meaningful error messages when they mistype a URL without
a service that dominates all .com and .net URLs, Smith added. "Why not have Site Finder as a little applet that runs in Web
browsers that provides a service to users who want it?" Smith said.
One audience member said Smith was bringing up privacy scenarios that would be rare, such as a Web form that has expired but
was bookmarked by a user. When new applications or platforms are developed, they often cause legacy systems to break and prompt
protests from some users, but that shouldn't stop technological innovations, said Jonathan Zuck, president of the Association
for Competitive Technology.
"I think VeriSign is trying to innovate on the platform and see what happens," Zuck said in an interview. "(Site Finder) will
result in a net improvement to the Internet."
Schairer also disputed VeriSign's claims that Site Finder was having a small effect on a handful of spam-blocking programs.
While VeriSign officials said only 3 percent of spam was sent using nonexistent domain names, Schairer said XO's internal
checks found that number was closer to 20 percent, and Site Finder complicated attempts to check for existing domain names.
VeriSign officials said only a small number of spam-blocking programs checked if the spam was coming from an existing domain
name, but Schairer said Site Finder would increase the amount of spam Web users receive because some spam filters wouldn't
recognize bogus domains.
Critics also raised a number of concerns that did not appear to be directly related to technical or security issues, such
as Site Finder returning an English-only page to non-English speakers and the size of the Web page that the service generates.
XO's Schairer said the Site Finder Web page is about 100 times the size of older redirect messages.
"Most of us have become jaded by our high-speed, always-on Internet connection, but there are a lot of people who are on pay-as-you-go
(service)," Schairer said. "These people are getting roughly 100 times the amount of the traffic ... because of the size of
the redirect."
But ICANN committee member Ken Silva, vice president of networks and security at VeriSign, questioned if some of Schairer's
concerns with Site Finder related to the security and stability focus of the ICANN meeting. "Is a 10 percent increase in spam
a stability or security issue?" Silva asked. "Or is it an inconvenience to a small number of users?"
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
