Q: In the first part of this decade, the global DNS infrastructure came under a few big denial-of-service attacks that caused service disruptions, but in the last few years, we haven't seen any significant service outages. How well have we done in making DNS resistant to DoS attacks?
A: VeriSign services have never completely been taken out from a DoS attack because of our distributed nature. We do get DDoS [distributed DoS] attacks, and they are getting bigger, and bigger, and bigger, but they haven't affected us that greatly. In February 2006, we launched our Project Titan initiative, in response to our growing legitimate services and to handle DDoS attacks in the multiple tens of gigabytes. Our goal was to fortify the infrastructure to over 10 times the predicted infrastructure needed. Project Titan will increase bandwidth 10,000 times the 2000 levels by 2010. It's already at 1,000 times the size today [as compared to the 2000 levels], and will be another 10 times today's level in the next two years. It will be able to handle 4 trillion queries a day.
Q: Why are DNSSec and any of the other "advanced" DNS security proposals slow to gain more widespread acceptance?
A: These are complicated technologies, and you have to agree to get the entire world to agree on the standard, what makes up the standard, and do it at the same time. That alone makes it difficult.
Q: Users have a tendency to ignore or bypass digital certificate errors, undermining the whole system of trust. What can be done to improve the user's security experience in light of that fact? What are browser vendors missing?
A: VeriSign has been working closely with browser vendors to improve the user experiences, but there isn't enough real estate in the browser to do it perfectly. But many vendors, especially Microsoft, are doing innovative things like Extended Validation (EV) certificates. When a user browses to an EV-protected Web site, an EV-enabled browser [such as Microsoft Internet Explorer 7, Mozilla Firefox 2, and Opera 9.5] will turn the address bar green, identifying that the site as trusted using the strongest assurance we can offer today. Users can trust EV certificates. It is proven that sites that use EV certificates have much lower abandonment rates than sites without EV. For example, Overstock.com found users were abandoning their shopping cart at the point at which they were supposed to put in their credit card information … at the moment they really needed to trust the vendor. Overstock.com start using EV certificates and saw a 16,000 times return on investment.
Q: Critics say that Extended Validation is really asking consumers to pay more for the trust assurance that they were originally promised in normal Class 3 Web site certificates. How do you respond?
A: EV gives the certification authority vendor more time to do the proper validation. With EV, we do a complete background investigation, including a financial check, articles of incorporation, and verifying their identity.
Q: But that's included with the normal Class 3 certs. What's different?
A: We ensure the subject is who they say they are and that they own the domain.
Q: Again, VeriSign does this with Class 3 certificates, so what's different?