The service probably most loathed since Microsoft’s product activation service, Verisign’s “SiteFinder”, is about to make a comeback after a brief respite. And this is bad news for net users everywhere — in fact this is bad news for anyone but Verisign, which is blatantly using its position as custodian of the .com and .net top-level domains.
SiteFinder works by introducing wildcards into the internet’s Domain Name Service. The system could be seen in action from September to early October. If you happened to try and reach a domain which did not exist, instead of getting the traditional 404 error you were automatically redirected to Verisign’s SiteFinder page. At the flick of a switch Verisign was able to manipulate the net into granting its much-derided service million of hits, and that’s about the most innocuous effect that came out of the whole thing.
More serious were other implications of the move. What happened when SiteFinder was in operation is that any domain in the .com and .net domain which did not exist independently had its traffic automatically redirected to Verisign’s servers. For web surfing this was not a big deal, although it worked surprisingly like spam — if you made a typo while trying to access a page you were faced with what was, intentionally, an advertisement for Verisign. In that sense it kinda worked like using IE with Windows XP, where you get redirected to an MSN search page with your query as a search term, except that it short-circuited Microsoft’s mechanism by essentially fooling DNS into making SiteFinder the actual entry for that domain.
The real three-headed monster in this was e-mail. In exactly the same way that web traffic to non-existent sites was redirected, mail traffic with domain typos was also redirected to Verisign, which effectively became the “owner” of those messages. As with ordinary e-mail the majority of that lost e-mail was probably spam, but what about those messages that were not spam? Messages, for instance, which communicated things like business strategies, personal messages potentially confessing to dubious behaviour, etc. ended up the legal property of the Verisign corporation without the sender’s knowledge or consent.
SiteFinder also short-circuited mechanisms intended to curb the amount of unsolicited commercial e-mail (spam) in people’s mailboxes. If every unregistered or badly-spelt domain name resolves to an actual address it becomes completely impossible to field messages which originate from non-existent email addresses and domains. I personally have experienced a big surge in spam around the time SiteFinder was in operation, and I do not think that this was a coincidence.
What I find most creepy, however, is that this is a clear instance of Verisign using its position as maintainer of the .com and .net domains in order to boost its profits. How? For every unregistered or misspelt domain requested while SiteFinder is in operation Verisign receives a measurable amount of traffic. Verisign takes these statistics, analyzes the most requested non-existent domains, and snatches these up for itself, putting them up for sale as ‘premium domains’ on their own domain name registration service, and with a price to match. There really is not reason why Verisign would implement such a service without also implementing this metrics scheme. And who pays for this? Network owners administrators everywhere, who have to deal with more spam and more traffic than before so a struggling Verisign can retain those shreds of relevance which it threw away due to outrageous pricing and poor customer service. And I should know — this domain used to be registered with NSI (then owned by Verisign) until I got sick and tired of their “early-90s-technology” management method of faxes and emails, especially when world+dog was using secure web interfaces.
How can we as net users fight this? There are a few avenues. For one, system administrators could block all access to SiteFinder at the router level by redefining it as “localhost”. That would be the most effective way of giving Verisign the finger, which they most earnestly deserve. This would only prevent the additional network traffic involved in fielding non-existent web site requests.
For e-mail, well, everyone’s pretty screwed with SiteFinder. Nothing can be done because of the way the redirection occurs. Unfortunately with SiteFinder and spam people now have just about every reason to NOT use e-mail for anything sensitive or important… why would you use e-mail for that purpose if the information might end up in the hands of a company which has proven itself plenty willing to use their position as TLD custodians for profit? Go for secure instant messaging instead, or use secure web forms.
Then again, I’m still ethical. Some people might decide it’s time that a major DOS attack was staged on Verisign… after all the people most affected by this awful, awful service will be tech-savvy system admins, some of which might decide that best intentions are not enough to deal with the situation as it it. I guess that remains to be seen.