Critics raise security concerns about VeriSign service

WASHINGTON - VeriSign Inc.'s Site Finder service has caused problems with the way some e-mail and other Web applications function and collected more information about Web surfers than some other services designed to redirect mistyped URLs (uniform resource locators), critics of the new Web search site said Tuesday.

Those raising objections to Site Finder at a meeting of the Internet Corporation for Assigned Names and Numbers' (ICANN) Security and Stability Advisory Committee in Washington, D.C., raised several technical concerns about the service, including it not working with some Internet protocols, including HTTPS (Hypertext Transfer Protocol-Secure), which indicates that a site uses SSL (Secure Sockets Layer), and FTP (File Transfer Protocol).

Site Finder, launched Sept. 15 and shut down this past weekend at the request of ICANN, redirected Internet users who mistyped a URL to a search page that suggested possible matches for the mistyped Web sites. Before Site Finder, Web users would get an error message or a similar search page from vendors such as Microsoft Corp.'s MSN.

Site Finder centralized the URL search function in the .com and .net domains into VeriSign's servers instead of the largely decentralized approach, said David Schairer, vice president of software engineering of Reston, Virginia, Internet service provider (ISP) XO Communications Inc. "The Site Finder has basically made itself a prestige target," Schairer said. "It's very likely to be attacked, and we need to understand clearly what will occur if that happens."

But VeriSign has a "proven track record" of security, countered Scott Hollenbeck, director of technology for the company. "As an example, I offer up the 100 percent up time that we've demonstrated on the .com and .net name servers over the past six years," he said. "We probably invest more in that infrastructure than any other registry operator."

VeriSign's launch of the service sparked a flurry of criticism that the company was trying to use its control of the .com and .net domains to dominate the Web search market. The launch of Site Finder also caused problems for some e-mail programs and SMTP (Simple Mail Transfer Protocol) servers, as the applications or servers didn't receive traditional error messages, Schairer said. An extra step that e-mail servers would have to take to confirm nonexistent domains would use more server resources and cause delays in response times to users, he said.

If continued, Site Finder would drive up the support costs of vendors for those applications, he said, comparing this "tax" on vendors to a small version of the costs of fixing the Y2K bug.

But VeriSign officials said they plan to include an addition to Site Finder that will resolve most e-mail issues. They said they are monitoring critiques from the technical community and have launched a technical review panel that includes company outsiders to address concerns being raised about the service. They also questioned Schairer's observations about the effects of Site Finder, saying he should provide them harder statistics on the problems.

Asked why VeriSign did not alert ICANN and Internet standards bodies more than a few days before it launched Site Finder, Chuck Gomes, vice president of the VeriSign Com Net Registry, said the company wasn't sure how to describe its plans to launch the new service without exposing trade secrets to potential competitors.