| | At Large Membership and Civil Society Participation in ICANN |
|
| |
|
|
|
 Verisign typo-squats
posted by jon on Monday September 15 2003, @08:21AM
Verisign, it seems, is about to implement a new plan of redirecting all browser queries to non-resolving domain names in COM and NET to Verisign's own SiteFinder page (see the New York Times (free registration required), and Computer Business Review). SiteFinder will suggest to the user other domain-name strings he or she might "really" have wanted. The plan will presumably generate a whole lot of money for Verisign, generated by a pay-per-click basis by sites getting traffic through SiteFinder, but it's a Really Bad Idea for the rest of us.
Thomas Roessler, in his weblog, explains why: "Users and
developers are deprived of the ability to choose themselves how to deal
with such a situation -- by choosing web browsers that do smart things
about non-existing domain names, by configuring their web browser to feed
the bad address into their favorite search engine, or by just fixing their
typo." Exactly. Once Verisign does this, you can't write a browser or plugin that does a better
job of responding to bad addresses, because your browser will never see them in the
first place. Verisign is taking this functionality away from the edges
and building a suboptimal implementation that users can't work
around because it's part of the network.
|
|
|
|
| |
[ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]
|
|
| | |
|
|
This discussion has been archived.
No new comments can be posted.
|
|
Verisign typo-squats
|
Log in/Create an Account
| Top
| 54 comments
|
Search Discussion
|
|
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
|
|
This is an interesting case.
One the one hand, Verisign is going against the de-facto use of the protocol in denying rejections being sent. They'll break a lot of software that relies on this.
On the other hand, serving up a search page is, by a very strict reading, within the protocol. You do not receive a rejection, but an actual response, even if it's not the response you expected. It wasn't the protocol that hijacked the response, it was you, who typed in the wrong URL (and hence the wrong domain name).
Were Verisign to return a "fuzzy" response, you can be assured that most browsers would use it to display their own search page, and monitize that traffic themselves. Obviously, Verisign is doing this for the revenue - and one can't fault them for that.
At the end of the day, the question, I think, will be: are there enough people upset at this to do something about it? Can anything be done directly? Probably not - Verisign owns the resolvers, and short of ICANN making them stop, they'll most likely go ahead.
However... what Verisign serves up should be deterministic in nature. As such, browsers could recognize that and interpret it however they want. If they see a Verisign-generated search page, they can ignore it and show their own. Verisign couldn't complain about this, because it is, for all intents and purposes, exactly what they're proposing to do, themselves.
Interesting times we live in.
--
Ambler On The Net [ambler.net]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Good points. However, I would prefer that domain names simply do not resolve and return the "unknown hostname" error, as this is the way it has always been. Further, what about existing web search engines that rely on DNS errors as one of the reasons for removing a site from its index on their next crawl? If a domain name expires, the search engine should be able to use that as an indicator to remove it from its index. If the site is "live", it can't.
If ICANN doesn't make them stop and chooses to amend the contract in favour of VeriSign (because Tina Dam did point out that a contractual revision would be required if revenue is involved), then this is one instance when I hope the intellectual property lobby and other businesses sue ICANN and VeriSign for typosquatting. :)
Cheers,
Doug
Doug Mehus
http://dmehus.posterous.com/ [posterous.com]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Oh, holy.... you're right! This is going to throw Google a HUGE spanner in the works!
They'll be indexing Verisign's search page to DEATH!
I hadn't realize that.
--
Ambler On The Net [ambler.net]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Apparently, they try to avoid that by serving a robots.txt that disallows crawling.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
|
Which is very often ignored. Besides, the very existence of a site (in the form of the Verisign search page) is noted, irrespective of robots.txt.
--
Ambler On The Net [ambler.net]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
I didn't say they succeed at that.
By the way, the service currently seems to be unavailable; attempts to access a non-existing .net web site now lead to timeouts. In other words, error diagnostics in .net are presently *broken* *completely*.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Yeah, robots.txt files are quite often ignored. Plus, like you said, Google will see a site is there, it just won't crawl it. Consider VeriSign's latest move a huge curveball to search engines, or any other software makers that rely on DNS errors to display information (or lackthereof) to customers. :(
Cheers,
DougDoug Mehus
http://dmehus.posterous.com/ [posterous.com]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
wrong. easy fix for search engines and folks that use domain not found errors for spam filering: code in the IP address(es) VRSN is using for the redirect.
The change WILL break code. I hope they gave adequet warning.
=====================
been there, done that
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
You're obviously not really Jim Rutt. But your point brings up the issue: why should the anti-spam coders be forced to make this change? And, at that, what happens when Verisign changes those IP addresses, which they will surely do at some point in the future. Why burden those who relied on a function of the protocol with now having to monitor which IP addresses Verisign uses?
I'm not arguing for or against this - just pointing out issues.
--
Ambler On The Net [ambler.net]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
yes Chris, this *is* the real Jim Rutt!!
As to change, that's how we make progress, eh? While this new service will break some parasitic uses of the DNS, it will enable other stuff.
When I was noodling just this idea (after leaving VRSN). I concluded that to mitigate the breakage, there should be a new TYPE defined that marks the record as a "wildcard". Thus a simple fix for spam-filters, search engines and the like. Don't know if this was done.
Another thing I don't know is how much warning was given on the change.
Hopefully, VRSN will maintain stability in the IP addresses and perhaps even "publish" the functionality as a web service.
If nothing else, this will provide competition for the current browser-based monopoly. Though MSFT can easily program the next version of the browser to defeat it, if the service is clearly better than MSFTs lame approach, maybe they won't. There'll be competition for a while at least.
=====================
been there, done that
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Arrogant, sure. A schmuck, though? Well, since I speak Yiddish, I'll have to deny that one.
Then again, you're an anonymous coward, so I have a hard time taking you very seriously.
Thanks for trolling, though. You made my day just that much more interesting.
Regardless...
The person posting as "jimrutt" makes simple spelling and grammar errors and exhibits opinions that seem contrary to published positions of the actual person. So I doubt his authenticity.
--
Ambler On The Net [ambler.net]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
>The person posting as "jimrutt" makes simple >spelling and grammar errors
ah, but so does the real jimrutt, in online venues where he has long been a proponent of lack of formality.
=jim
=====================
been there, done that
|
|
|
|
[ Reply to This | Parent
]
|
|
- 1 reply beneath your current threshold.
|
|
|
Is there not a potential for a class action lwasuit against Verisign here on behalf of all the holders of registered and common law trademarks and service marks for trademark / servicemark infringement?
From an IP prespective what is the difference if this is done by registering many domain names or by trapping the traffic at the registry level. The result is that same. The traffic intended to the trademark / servicemark holder is redirected to a pay per click serach engine for the benefit of the typosquatter of cybersquatter.
With a deep pocketed target such as Verisign how long is there before some enterpreneurial law firm or group of law firms launches the largest class action lawsuit ever, with members of the class ranging from mom and pop start ups to multinational corporations.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
That would need to be determined in the courts.
I don't see "registry exemption" alowing a registry to register domains on thier own account and then redirecting them to a pay per click search engine in order to profit from other companies TM's and SM's. By the way here is the section of the US ACPA.
"The domain name registrar or registry or other domain name authority shall not be liable for injunctive or monetary relief under this paragraph except in the case of bad faith or reckless disregard, which includes a willful failure to comply with any such court order."
And one must keep in mind that this is worldwide, with the potential for class action in many countries other than the US.
|
|
|
|
[ Reply to This | Parent
]
|
|
- 3 replies beneath your current threshold.
|
|
|
How would people feel if, when you dial a telephone number that is incorrect only because 2 digits are transposed, you got a directory service instead of a "wrong number" message?
I don't know, and have no personal opinion, I'm just curious as to what people think.
Thanks and best,
Richard
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Comparing a paid-ranking search engine to a telephone directory service is pretty far off the mark here.
When Neulevel ran its "experiment" with this a while back, a similar argument was made relative to "coca-cola":
------
http://www.biglist.com/lists/lists.inta.org/tmtopi cs/archives/0305/msg00066.html
> What if the service was one in which you typed in "www.cocacooa.biz" and it
> returned a redirect page that said "Did you mean "www.cocacola.biz" and
> allowed you to click on that to get to the real site. Wouldn't that be
> better than getting a 404 error? Isn't that better for the user community
> and trademark owners?
The top sponsored result provided by your selected search engine, LookSmart,
for "cocacola" is a scalper selling tickets to the NASCAR Coca-Cola 600 for
approximately $300. It is most certainly not the Coca-Cola Bottling Company,
unless they are not whom you meant by the "real site".
-------
Essentially, redirecting to a paid search engine permits "typosquatting on the cheap". Instead of registering a single typo of a trademark and setting up a website for it, all I have to do is submit a sufficiently high bid for the search term through Verisign's sole-source PPC engine and voila - I now have the top position for *every* typo domain on that trademark. What's particularly nice about this method is that I can limit the time and budget in such a way that the intermittent appearance of my bidded result (say, limited to 10,000 hits or one week, whichever comes first) allows me to reap the gain before any legal action can even be commenced.
Your assumption about a "directory service" is somewhat naive.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Naive or not, that's besides the point. They key to what Richard said is that thankfully, we receive a recorded "error message" when we dial a wrong number. The same should be for DNS. In a very crude, cave man (or cave bear [cavebear.com]) sort of way, it makes sense to compare DNS to a telephone system. When you type in a domain name, your browser crunches a few things very rapidly by processing your "call" for the number associated with a name to one of the thirteen geographically located root servers. Either operator A through M respond, and provide the correct number, and the user's request is processed. It's really quite simple, again, in a crude way. :)
Cheers,
DougDoug Mehus
http://dmehus.posterous.com/ [posterous.com]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
"it makes sense to compare DNS to a telephone system"
It does not make sense to compare a PPC search engine to a telephone directory service.
Another thing that "cave men" do is to use the error message to determine the availability of a domain name. I agree, it is a dumb method, but there are a lot of people who do that.
Now, Verisign has its name being presented to those who happen upon unregistered domain names. Coincidentally, Verisign is in the domain name registration business.
Another telephone analogy is that of caller-ID. For spam-verification software which checks the existence of a domain name prior to allowing email from that domain to pass through (and email is a more heavily-used internet service than web browsing), what we have here is the analogy of caller-ID spoofing. I'm not a telephone expert, but I doubt the telephone experts think that spoofing the origin of a call is a good idea in general.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
There's various hacks out there (go to alt.2600), I wrote one of them, that allow you to reprogram your caller ID to say whatever you want (fsck you is one of the favorites), and the telco's don't much care for it. -g
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
If that directory service operated in English, I might think it was great. Unlike browser error pages, that can be set to the user's language in order to inform the user they have reached a bad domain name, Verisign's Sitefinder operates exclusively in English.
Now, I often make calls to law firms in various countries, and when I reach a voice mail system that operates in something other than English, I occasionally will make guesses about whether it is the voice mail for the person I am trying to reach - in which case I leave a message after hearing a beep - or whether it is trying to get me to press any of several keys - in which case I press 0 to get to a human. However, what Sitefinder has done here is to eliminate the native-language error page from a non-English user's browser and to replace it with something they do not understand. In terms of functionality, that is not what anyone would agree is an "improvement".
So, if the question is "would I prefer something I understand to something I don't understand?" the question is a no-brainer.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
|
I don't like this at all.
They are supposed to manage the dns, not turn it into a moneymaking machine for theirself. It wouldn't be so bad if they made millions without hurting anyone, but they will be making money at the expense of many other people who depend on the internet for their income. They will be filtering money out of many people's pockets, and funneling it into their own pockets.
Also, what changes will they make to their pages in the future? Who's going to complain when they make small changes in their favor?
They have been trusted to manage the DNS, ...to be in charge of using it in a manner fair to everyone. Now they have given one company the ability to profit from all unregistered domains. ...that company being theirself. How is that fair? How is it fair to profit from the traffic from a domain without paying for it? Now if that domain brings them in 10 cents during a year, it's profitable for them, because they pay 0 cents for it. With no registration costs, they can offer services from domain traffic, cheaper than anyone else can. How can anyone else compete with that? Where's the level playing field? It costs me about $10 a year to use the traffic from a domain, and I have to pay for it before I can find out if it's profitable. It costs them $0 a year, and they will know in advance which domains will be profitable, before they buy it. Plus they can sell their traffic for much less and drive me and many other people out of business. I may be forced to give up my domain, because it won't be profitable for me to renew it. If I don't renew it, and it expires, it will automatically be a profit maker for Verisign. This reminds me of Enron.
This is also unfair in another way. What if Verisign did this from the beginning? Can you imagine all the high traffic domains they or their friends would own by now? With the information they will have, on which domains get the most traffic, who do you think will register them? Who do you think will be buying the best traffic domains from now on? Do you think when they see a domain making them $1,000 a year, they will let it sit there, unregistered, taking the chance that someone else might register it? Many people work full time looking for good domains to buy. They do their research, pay the registration fee, and hope the domain has typein traffic. Now verisign, with their inside information, can easily put them out of business.
They are using the position they have been entrusted with to gain a huge unfair advantage over many businesses and people working from home. They have shown that they are not capable of managing the DNS fairly and should have that responsibility taken away, immediately!
This is big business taking over the internet at the expense of smaller players, not a responsible company managing the DNS.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
You are absolutely correct on the value of competitive intelligence being reaped by Verisign on what are the most valuable unregistered domains in terms of traffic.
It is not a mistake that this action precedes WLS.
|
|
|
|
[ Reply to This | Parent
]
|
|
- 1 reply beneath your current threshold.
|
|
|
|
Sign the petition [petitiononline.com] to help stop this abuse.
|
|
|
|
[ Reply to This | Parent
]
|
| |
|
|
A core action item of the white paper was to reduce market place dominance of the .com TLD.
So, five years later, DNS is broken because .com has millions of typo-squats per day. Show me the parties that have squelched the evolution of market place competition at the registry level and I will show the parties that have broken DNS. What we have is simply a consequence of past decisions. If .com had the unit volume of .museum, few would even give this a yawn. Might be an extreme example, but I think makes the point. If .com did not have the market place dominance it currently enjoys, typo-squat redirects would not be a multi million dollar enterprise. Likely the same for WLS. Either might not even be something Verisign would choose to launch for reasons of market demand, ROI, or practical functionality. So when we talk about "who broke DNS", I think the waters run a little deeper. The white paper was written for a reason. It has been strayed from. DNS broken. Go figure.
Ray
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
The Sitefinder page is also generated for (a) domain names with no nameservers, (b) domain names in the redemption grace period (RGP) and (c) domain names on registrar hold. The names may indeed to be registered to someone, and that someone might very well object to the use of their name by Verisign, along the same lines as the register.com parking page claim.
The fact that RGP names are included provides extremely valuable intelligence to a few insiders at Verisign. They are in a position to know, with certainty, the traffic levels on domain names which are soon to be released. In conjunction with the wait-list service, this information is a gold mine.
The fact that Verisign is resolving on-hold names also frustrates reliance on the way things have historically worked. Take UDRP-cancelled domain names, for example. Bodacious-tatas.com was cancelled in a UDRP proceeding. To prevent resolution of that domain name, the complainant filed a lawsuit in India, where lawsuits move slowly enough to permanently keep a domain name on ice. Despite these efforts, Verisign is now earning pay-per-click revenue on the domain, and Verisign will be the only party to be able to earn revenue from this domain name for the foreseeable future.
Verisign will, of course, obtain John Zuccarini's revenue stream in the event that the court handling the Zuccarini case orders his domain names to be pulled out of the root. Again, nice timing.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
duh, VRSN could have had that intelligence (what typos and RGP names are commonly used) without offering the service.
=====================
been there, done that
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
>Verisign is now earning pay-per-click revenue
>on the domain, and Verisign will be the only
>party to be able to earn revenue from this
>domain name for the foreseeable future
so? how is this any different than Microsoft exploiting it's structural near-monopoly to offer it's (lame) typo service? I thought competition was supposed to be a good thing!
I see a lot of reflexive NSI hating here.
=====================
been there, done that
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
I can choose or not choose to use a Microsoft browser. And whatever Microsoft chooses to do with its browser has absolutely no effect on whether other internet software, which is built on known DNS functionality, continues to work as expected. No, I do not think that breaking everyone's link-checker software is a "good thing".
Competition is indeed a good thing. That is why when a party has been granted a limited monopoly in one area, we normally safeguard against leveraging that monopoly as an unfair advantage to compete with others in areas which are not strictly related to the rationale for the limited monopoly grant.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
|
|
Paul Vixie of the Internet Software Consortium [isc.org], creators of BIND, says [yahoo.com] they're releasing a patch. The Register covers it here [theregister.co.uk]. Circle ID has an article [circleid.com] pointing out that this is the equivalent of spyware. The Register has some mail [theregister.co.uk] regarding this, including why it will increase SPAM (also see ZDNet [zdnet.co.uk]), and how it broke a printer. Here's the latest google news [google.ca] on Verisign, the link is dynamic so will change with time, but at the moment they're getting universally hammered. And here [cctec.com] is NANOG. And after getting nothing using IE on a non-existent .com yesterday, today I get the MSN search page. Given that this will take time to propagate, perhaps tomorrow I'll get Veri$ign, or perhaps the BIND patch will save me, or... Ah, remember the good old days when M. Stuart Lynn said in ICP-3 [icann.org] that everyone should get to the same website when using the same URL. -g
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
The days of root dns servers are numbered... each
pc will have it's own dns services and these will
be feed by subscriptions to the dns of your choice.
I'll take all the outdoor sports and news dns
Thanks
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
|
|
This is a good time to look at Bob Frankston's dotDNS proposal [circleid.com] for a layer of reliable but meaningless domain names.
dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.
dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it much easier to switch name-resolution services when we are dissatisfied with their policies.
dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.
There is also an old ICANN Watch discussion of the dotDNS idea [icannwatch.org], under a different name.
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
These Site Finder results are useless too. It's just a bunch of paid links from Overture. It is not helpful.
If you mistype URLs a lot, get the Google Toolbar [google.com]. :)
Cheers,
DougDoug Mehus
http://dmehus.posterous.com/ [posterous.com]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
Uhh, what are you smoking? You can use Google Toolbar to search for the information you seek if an inactive or unregistered domain name (or misspelling) returns an error message.
Example. I am searching for the Starbucks Coffee Company, and, I type in starbukks.com, thinking that's how it's spelled (assume starbukks.com is unregistered). It returns an error message (again, assume this is before VeriSign implemented their stupid, unuseful, undemocratic, national security infringing, intellectual property violating supposedly "helpful" but in reality it's actually hurtful service). I go to Google Toolbar, type in Starbukks Coffee and its trusty spell checker auto-checks my spelling and diverts me to the correct set of listings. Now, isn't that much better? Why would you ever want VeriSign's typosquatting "search" page?
Anyone looked at VeriSign's P/E ratio lately? These guys aren't even profitable, and haven't been for who knows when. Obviously, they're doing something wrong. They are bleeding money, analysts are downgrading their debt to junk status, and it's a financial mess. Meanwhile, their Thawte subsidiary chief executive isn't profitable either, but somehow he manages to find time to go to space [google.com].
Cheers,
DougDoug Mehus
http://dmehus.posterous.com/ [posterous.com]
|
|
|
|
[ Reply to This | Parent
]
|
|
|
|
|
The Opera [opera.com] browser is even better (for a number of reasons). It has the equivalent of the Google toolbar built in. Type g anything in the URL line (with g being for google) and it googles it. -g
|
|
|
|
[ Reply to This | Parent
]
|
|
- 1 reply beneath your current threshold.
| | 6 replies beneath your current threshold. |
Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their
respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com
|
